This is a news item roundup of privacy or privacy-related news items for 5 JAN 2025 - 11 JAN 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Services

Quantum-resistant tunnels are now the default on desktop

Mullvad

As of the 2025.2 desktop release, quantum-resistant WireGuard tunnels are enabled by default on all desktop platforms (macOS, Windows, Linux)

Proton Mail still down as Proton recovers from worldwide outage

Bleeping Computer

Past event (presumed resolved).

On 9 JAN 2025, Proton appeared to suffer an outage significantly affecting availability of most of their services. According to Proton, service was restored on the same day at approximately 1327 (ET).

Matrix.org to retire guest accounts and introduce MAS authentication

AlternativeTo

The matrix.org home server will disable guest accounts and introduce the Matrix Authentication Service (MAS), which aims to alleviate client developers from having to include support for every authentication method.

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Negative changes

Telegram Hands U.S. Authorities Data on Thousands of Users

404media

According to numbers reported by Telegram via their transparency report, the service fulfilled 900 requests for the US government, affecting 2.2k users. The released data indicates fulfilled requests sky rocketed from October to December. These requests appear to generally involve sharing IP addresses and/or phone numbers.

Users are reminded that Telegram does not use end-to-end encryption by default, instead storing messages in the cloud. For messaging, it is generally recommended to use messaging platforms that enable and use end-to-end encryption by default. Ideally, users would use end-to-end encrypted messaging platforms that expose minimal metadata to the routing servers, if any.

Candy Crush, Tinder, MyFitnessPal: See the Thousands of Apps Hijacked to Spy on Your Location

404media

Note: This isn't a privacy change by apps displaying programmatic advertising, rather a revelation how location data companies may acquire user location data using shady tactics.

This revelation stems from the hack of shady location data company Gravy Analytics.

In the past, location data companies typically approached app developers and offered payment to include code enabling the company to gather user data. However, the rise and prevalence of Real-Time Bidding (RTB) has eroded user privacy further; during the bid stream, potential advertisers receive user profiles - which may contain data such as location, advertising ID, device information, etc - to determine whether an ad is shown. Data brokers have been "spying" on this process, harvesting user location data.

What has ended up happening is that the app itself, as coded by the developer, does not collect this data directly... but if it displays programmatic ads, then it may be sharing user data.

Bonus: The EFF has a great explainer on the significant privacy threat posed by the current state of real-time bidding employed by many programmatic advertisers.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Malware

Meet PhishWP – The New WordPress Plugin That’s Turning Legit Sites into Phishing Traps

SlashNext

PhishWP is a malicious WordPress plugin designed to steal payment information and 3D Secure one-time passcodes to bypass security protections for suspicious transactions. The plugin can deliver this information in near real-time to threat actors. PhishWP can collect payment information, such as:

• credit card number
• billing details
• CVV
• expiration date

It can also collect browser information such as IP address and user-agents to replicate user environments for future fraud.

Attackers may compromise a legitimate WordPress website and subsequently install this malicious plugin - or they may simply create convincing, fraudulent websites with the plugin installed and advertise them to unsuspecting users.

Scam Sniffer 2024: Web3 Phishing Attacks – Wallet Drainers Drain $494 Million

ScamSniffer

Research by ScamSniffer indicates that in 2024, a type of malware known as a "wallet drainer" used in some attacks caused almost $500 million in losses. This is a 67% increase year-over-year while number of victims increased by $3.7%. The largest single theft was approximately $55.48 million.

Wallet drainers were primarily delivered to victims via phishing websites. The phishing websites primarily acquired traffic via hijacked Twitter and Discord accounts and scam ads.

Cracking the Code: How Banshee Stealer Targets macOS Users

Check Point

Banshee Stealer operates with extreme stealth, blending in with normal processes on macOS while stealing credentials stored in the browser, cryptocurrency wallet seeds, and sensitive file data - it exfiltrates this data to the threat actors. A variation of Banshee Stealer appeared to have "stolen" a string encryption algorithm from Apple's XProtect antivirus engine, potentially allowing the stealer to evade detection by antivirus engines for over two months.

Like many other information stealers, Banshee Stealer is commonly distributed via phishing websites, malicious GitHub repos, and via masquerading as "forked" versions of Chrome and Telegram.

While Banshee Stealer's source code has been leaked and presumably reverse engineered for better detection, variants could (and likely are) derive from the leaked source code.

Recruitment Phishing Scam Imitates CrowdStrike Hiring Process

CrowdStrike

Phishing emails claiming to be part of the CrowdStrike recruiting process contain links pointing to malicious websites. Downloading the fake "CRM application" in fact downloads an executable which calls for cryptominer XMRig.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

A Day in the Life of a Prolific Voice Phishing Crew

Krebs On Security

Organized threat actors are launching convincing vishing (voice phishing) attacks against selected targets. In these attacks, they employ social engineering tactics, "autodoxers" (which harvest leaked/available data about potential targets), and even abuse legitimate services and processes to add "credibility" to their vishing attacks.

Users should exercise extreme caution on any inbound call that applies pressure or otherwise invokes a sense of urgency. For example, if you receive an inbound call from your "bank" claiming that something is wrong with your account, general advice says to hang up and call the number for the bank listed on a trusted source (like a verified website or on the back of your card).

Violent Hackers Are Using U-Haul To Dox Targets

404media

Some threat actors are routinely "breaching" u-Haul - typically by phishing employees for their credentials - due to the potential, confirmed non-public information U-Haul may have on targets. This information could be used to launch spear-phishing attacks or dox targets.

Scams

Scammers Exploit Microsoft 365 to Target PayPal Users

Infosecurity Magazine

Threat actors abuse a Microsoft 365 feature get to get "convincing" emails delivered to inboxes. In this case, the PayPal emails had the same template as a legitimate PayPal email, but links within the message were malicious and designed to phish user credentials.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

Apple says Siri isn’t sending your conversations to advertisers

The Verge

Note: This is not a new lawsuit.

After settling a $95 million lawsuit over Siri capturing conversations and making them available to third-party contractors, Apple claims that retained audio recordings from Siri were not shared with advertisers or data brokers.

EU court fines European Commission for breaching its own data privacy laws

TechCrunch

The fine was for around $410 USD. In a statement, the EU General Court said the European Commission violated the citizen's rights by transferring some personal data to the US without proper safeguards.

Washington sues T-Mobile over 2021 data breach that spilled 79 million customer records

TechCrunch

Washington state filed the lawsuit, alleging that T-Mobile "knew for years about certain cybersecurity vulnerabilities and did not do enough to address them." The Washington attorney general also claimed T-Mobile "omitted critical information and downplayed the severity" of the breach, ultimately providing inadequate notice to affected users.

Google loses in court, faces trial for collecting data on users who opted out

ArsTechnica

Google's motion to throw out a class action lawsuit alleging it continued to invade the privacy of users who opted out of Google's data logging of the user's web app and activity (Web and App Activity settings) was rejected. The case will go to trial.

Legislation and Regulation

White House launches cybersecurity label program for consumers

Cyberscoop

The Cyber Trust Mark program is scheduled to roll out over the course of 2025.

The Cyber Trust Mark is best described as the "EnergyStar" rating for IoT devices. The program is voluntary for IoT manufacturers and aims to make it "easier" for regular end users to be aware of the security controls of their IoT devices; presumably, devices with the Trust Mark label meet minimum qualifications outlined by NIST.

FCC moves to tighten industry reporting rules for robocalls

Cyberscoop

The FCC wants voice service providers to prove they are trying to combat robocalling, primarily because robocalls frequently lead to scams. STIR/SHAKEN was enacted in 2021, but allegedly companies' compliance with using it are coming into question.

According to research conducted in 2022 by the National Consumer Law Center and the Electronic Privacy Information Center, US persons received more than 21 billion robocalls in 2021.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data breaches

PowerSchool says hackers stole students’ sensitive data, including Social Security numbers, in data breach

TechCrunch

US-based PowerSchool, which is an Edtech software company, suffered an extortion-only attack and paid an undisclosed (as of writing) financial sum to prevent publication of the stolen data.

According to PowerSchool, compromised data varies by affected customer (16k customers, 50 million students, but may include:

• Social security numbers
• Attendance
• Medical information
• Grades

Largest US addiction treatment provider notifies patients of data breach

Bleeping Computer

BayMark Health Services began sending notifications to patients who had their personal/health information stolen in a September 2024 breach. The number of affected users is undisclosed as of writing.

Compromised information varies by affected user and includes:

• Social security numbers
• Driver's license numbers
• DOBs
• Services received
• Dates of service
• Insurance Information
• Treating provider
• Treatment/diagnostic information

Cannabis company Stiiizy says hackers accessed customers’ ID documents

TechCrunch

Stiiizy suffered an alleged ransomware attack between 10 OCT 2024 and 10 NOV 2024. Compromised information includes:

• driver's license information (likely the identifier number)
• passport information
• customer names
• addresses
• DOBs
• transaction data
• "other information"

Chinese hackers also breached Charter and Windstream networks

Bleeping Computer

Salt Typhoon, which is a PRC-linked APT group and responsible for the extensive breach of the largest US telecommunications providers, also breached Charter and Windstream.

Data leaks

License Plate Readers Are Leaking Real-Time Video Feeds and Vehicle Data

Wired

Misconfigured automated license plate readers (ALPRs), manufactured by Motorola and Flock Safety, have leaked license plate data and real-time video feeds of traffic/roads in places where the cameras were set up.