Privacy Roundup: Week 13 of Year 2025

/ privacy roundup

This is a news item roundup of privacy or privacy-related news items for 23 MAR 2025 - 29 MAR 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

You can get immediate notification of when this series is published (every Monday) by subscribing to the RSS feed or signing up for the newsletter

Privacy Tip of the Week

Using a private search engine is a good way to begin improving your privacy. Private search engines generally avoid connecting users to their searches.

Surveillance Tech in the News

up close view of camera lens

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

Madison Square Garden’s surveillance system banned this fan over his T-shirt design

The Verge

This pretty much boils down to a company leveraging data aggregation (whether first-party or third-party, but likely both) to ban a guy for life from its venues. In other words, based on data they had on this individual, they determined they do not want him on its properties - even though he himself had never "did anything" on their properties.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

fingerprint scan on blue background

“MyTerms” wants to become the new way we dictate our privacy on the web

ArsTechnica

"MyTerms" (draft standard IEEE P7012) is a proposed standard for machine readable personal privacy terms. Generally speaking, you as the user could preset a "contract" for web properties you visit that inform the website which information you will and will not offer for access to content/services. The website will presumable being able to 1) work with that contract, 2) modify (or serve up and alternate version) of itself to meet the user terms, and/or 3) tell you it can't meet the terms of the contract.

This is a large departure from things like Do Not Track (DNT) - DNT is a request sent via HTTP header that the website does not have to follow or even acknowledge. MyTerms is designed to be a demand versus a request.

Privacy Without Compromise: Proton VPN is Now Built Into Vivaldi

Vivaldi

Vivaldi integrates ProtonVPN natively into its desktop version of its browser.

A smarter VPN experience: Introducing the Mozilla VPN extension for Windows

Mozilla

Mozilla releases a VPN extension for its VPN service that supposedly lets users choose which websites to enable/disable VPN or choose a different VPN server location. As of writing this extension is for Firefox (or Gecko-based) installations on Windows.

Organic Maps update improves user navigation experience

AlternativeTo

Organic Maps, an alternative to Apple Maps and Google Maps, has introduced split screen mode, enhanced routing algorithms for cyclists, individual track sharing, and flexible route planning.

Messaging editing, deletion and saving now available

Deltachat blog

Deltachat has rolled out the ability for users to:

  • forward messages
  • edit and delete messages
  • sync messages across devices
  • save messages

Pale Moon browser now accessible via Microsoft Store

AlternativeTo

The Pale Moon browser is now available on the Microsoft Store. The browser also recently released version 33.6.1, which focuses on security and bug fixes.

Privacy Services

data and storage concept orange and yellow tiles

Ente Photos v1

ente blog

Ente has released version 1.0 of its photos app.

Proton Drive and Docs now support collaboration with users without Proton accounts

Proton

Proton users can now collaborate on documents with anyone -- including those without Proton accounts.

Successful security assessment of our Android app

Mullvad

Mullvad's Android app has successfully passed the Mobile Application Security Assessment (MASA), conducted by NCC Group.

Multihop now available on Android

Mullvad

Mullvad has introduced its server multihop feature to its Android client.

DAITA version 2 now available on all platforms

Mullvad

Mullvad has rolled out version of their "Defense Against AI-guided Traffic Analysis" (DAITA) model. Version 2 reduces traffic overhead and introduces dynamic configurations varying VPN tunnel characteristics.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

padlock with bullet hole on circuit board

Google Chrome Zero-day Vulnerability Exploited in the Wild (CVE-2025-2783)

Qualys

Researchers at Qualys have discovered an actively exploited zero-day in Chromium. Tracked as CVE-2025-2783, this vulnerability, when exploited, could allow attackers to bypass Chromium's sandbox. Google has addressed this vulnerability in version 134.0.6998.177/.178 for Windows.

This vulnerability is not just limited to Chrome - it affects all Chromium-based browsers. Users running a Chromium fork (which includes popular browsers such as Brave, Vivaldi, among others.)

Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome

TechCrunch

Firefox version 136.0.4 fixes a vulnerability, tracked as CVE-2025-2857, that when exploited could lead to a sandbox escape. This vulnerability was exploited in the wild and only affects Firefox on Windows.

Note: This vulnerability is similar to a sandbox escape (CVE-2025-2783) for Chrome.

New Ubuntu Linux security bypasses require manual mitigations

Bleeping Computer

Three security bypass vulnerabilities have been discovered in Ubuntu's unprivileged user namespace restrictions. A local unprivileged user can create user namespaces with full administrative privileges. The local attacker could then exploit vulnerabilities in various kernel components.

Malware

red virus detection on dark background

Microsoft Trusted Signing service abused to code-sign malware

Bleeping Computer

Threat actors are abusing the Microsoft cloud service Trusted Signing to code-sign malware executables. Executables that are code-signed with this service are more likely to be ignored or otherwise "trusted" by endpoint protection software.

Typically, threat actors seek to obtain Extended Validation code-signing certificates, but the process requires a more strict verification process... but the certificates for code-signing produced by Microsoft Trusted Signing work decent enough.

Infostealer campaign compromises 10 npm packages, targets devs

Bleeping Computer

At least ten npm cryptocurrency-related packages were updated to include malicious code designed to steal sensitive data from developers' systems.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

fishing hook going through a login screen on a blue background

Evilginx Tool (Still) Bypasses MFA

darkreading

Evilginx, a malicious version of the NGINX web server, can be used in machine-in-the-middle (MiTM) attacks to steal credentials and tokens. In practice, threat actors would deploy malicious web pages leveraging Evilginx and use legitimate and legitimate-looking forms and images from reputable brands to steal user information -- which includes session cookies.

'Lucid' Phishing-as-a-Service Exploits Faults in iMessage, Android RCS

darkreading

Lucid is a Chinese-based phishing-as-a-service platform. Prodaft researchers tracked Lucid impersonating at least 169 organizations and sending messages to targets spanning at least 88 different countries. Lucid's primary goal seems to be stealing credit card information.

Phishing-as-a-service operation uses DNS-over-HTTPS for evasion

Bleeping Computer

On top of offering a centralized SMTP infrastructure to send spam emails, the ability to impersonate over 114 service providers, multi-language capabilities, and spoofing sender names/addresses, this service leveraged DNS-over-HTTPS (DoH) to evade detection. DoH provides DNS resolution via HTTPS requests, which can aid in bypassing DNS monitoring (standard queries are conducted in plain-text).

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

a road yellow road sign pointing to the left and right

Discord is bringing video ads to mobile users in two months

AlternativeTo

There's not an explicit privacy change here, but worth noting considering how privacy invasive ads tend to be. Discord has announced it will now rollout video ads ("Video Quests") to its mobile apps in JUN 2025. Discord claims the mobile ads will be "non-intrusive."

Exclusive: Google will develop the Android OS fully in private, and here's why

Android Authority

There is no specific privacy change for end users here, but this is something worth paying attention to. Google is shifting Android (including) AOSP to its own internal development branch. This does not mean Android is going "closed-source," but Google's development will be internal (non-visible to the public) until they publish the source code of the new branches.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

gavel with purple and dark background

T-Mobile Coughed Up $33 Million in SIM Swap Lawsuit

SecurityWeek

In this lawsuit, T-Mobile was sued on the basis its lackluster security permitted threat actors to socially engineer T-Mobile employees to transfer phone numbers to a sim card the threat actor controls. THis particular attack targeted a user that held over $38 million worth of Bitcoin and Bitcoin Cash.

Legislation and Regulation

purple and blue scale on dark background

Texans Might Soon Have to Show Photo ID to Buy a Dildo Online

404media

This pretty much boils down to Texas legislature considering passing a law that forces merchants to demand ID from users attempting to buy "questionable objects" online. However, it seems the law is written vague enough it could extend beyond just sex toys.

This is a development of age verification laws, which are anti-user privacy - and in some cases, security, because many services or third parties mishandle the data given/used to verify user age.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data leaks

multiple padlocks with red stripe

DNA of 15 Million People for Sale in 23andMe Bankruptcy

404media

This is another development in the now years-long saga including (and since) 23andMe's data breach in 2023, where the personal information (ethnic and profile information) of nearly 7 million users were exposed.

23andMe filed for bankruptcy on 23 MAR 2025. While we can say "good riddance," the main issue with this is... what will happen to user genetic information? If purchased in a firesale, it is presumed the purchasing party would have access to the immutable user genetic data stored/held by 23andMe. This development highlights the issues with data transfer between companies - especially sensitive data.

Shocking security breach by top Trump officials: Journalist accidentally added to classified US war chat plans on Yemen

mint

A member of the current administration sent classified information to a Signal group chat - which contained a reporter. This is a prime example of the importance of OpSec even when using end-to-end encrypted messaging tools.

That's a wrap for this edition. Get notification of this post by subscribing to the RSS feed or signing up for the newsletter.

Previous Post