This is a news item roundup of privacy or privacy-related news items for 12 JAN 2025 - 18 JAN 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

May also include threat actors abusing legitimate technology - which of itself may be irrespective of user privacy in general - to gather information or otherwise target users.

How cars became the worst product category for privacy

Session

Covers the extensive data collection (and subsequent sharing with car manufacturers and their affiliates) enabled by modern vehicles; they can collect way beyond location data.

Inside the Black Box of Predictive Travel Surveillance

Wired

Covers the use of powerful surveillance technology in predicting who might be a "threat."

FTC Surveillance Pricing Study Indicates Wide Range of Personal Data Used to Set Individualized Consumer Prices

Federal Trade Commission

FTC launched a "surveillance pricing market study" which concluded that specific captured details and data is used to target consumers with different prices for the same goods and services.

They regularly use people's personal information to set tailored prices. This personal information can range from demographics, mouse movements on a web page, and a person's location.

The study is still ongoing.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes major updates to recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Bitwarden releases native Android app

AlternativeTo

Bitwarden has made its native Android app "generally available" for download on the Google Play Store.

Privacy Services

Introducing Labels: A new era of email organization at Tuta Mail

Tuta

Tuta introduces "labels," an organization feature long requested by its users.

Brave Search now offers real-time blockchain data results with unmatched privacy

Brave

Brave adds privacy-preserving querying for real-time blockchain data results to its Brave Search service.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)

Tenable

First Patch Tuesday of 2025 from Microsoft. Three CVEs exploited in the wild and five publicly disclosed (but not expressly observed being exploited in the wild).

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP) and were exploited in the wild as zero-days. These probably don't affect most users reading this.

CVE-2025-21308. This is probably a CVE most users should tune into. It is a spoofing vulnerability that affects Themes in Windows. Successful exploitation requires social engineering users into manipulating a specially crafted file. Publicly disclosed, not observed exploited in the wild at time of publication of this post.

Under the cloak of UEFI Secure Boot: Introducing CVE-2024-7344

welivesecurity (ESET)

CVE-2024-7344. A UEFI signed by a Microsoft certificate could bypass Secure Boot. This could result in the executing of code during system boot, defeating the purpose of Secure Boot - which could include loading near undetectable malware such as rootkits.

While there is a list of vulnerable software products, threat actors could use their own copy of the vulnerable reloader.efi binary to any system with the affected Microsoft certificate installed.

Microsoft revoked the certificates with the January 2025 Patch Tuesday updates.

Malware

Browser-Based Cyber-Threats Surge as Email Malware Declines

Infosecurity Magazine

According to research from the 2024 Threat Data Trends report by the eSentire Threat Response Unit, browser threats (such as drive-by downloads and malvertising) increased; these techniques are in turn used to deliver malware such as information stealers. Approximately 70% of observed malware cases in 2024 derived from browser-based malware.

Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

darkreading

According to researchers from Trend Micro, threat actors have been uploading video guides for installing cracked software to YouTube. These video guides function as the initial lure; they then share links to fake downloaders for the cracked software, which actually drop information stealers onto the device.

This campaign exploits the inherent trust users have when visiting extremely popular and reputable sites that host/share primarily user-generated content - such as YouTube, GitHub, and Reddit. Similar campaigns on these sites have been observed in recent years.

DOJ confirms FBI operation that mass-deleted Chinese malware from thousands of US computers

TechCrunch

The PlugX malware, used by PRC-linked APT dubbed "Twill Typhoon" or "Mustang Panda," had infected millions of computers since at least 2014. The FBI, in connection with French authorities, removed the malware from approximately 4,200 infected hosts in the US (3,000 in France).

Hackers Use Image-Based Malware and GenAI to Evade Email Security

Infosecurity Magazine

Malicious code embedded in image files; when the images are downloaded from well-known websites, they may bypass email security controls. A particular campaign abusing this has been dropping information stealers and keyloggers; specifically the campaign attempts to drop 0bj3ctivityStealer and VIP Keylogger.

Additionally, threat actors have been using HTML smuggling to deliver XWorm malware. The XWorm malware family is typically used as a remote access trojan (RAT) or information stealer.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

Krebs on Security

China-based (though not specifically attributed to the PRC as of writing) threat actors have launched a massive smishing (SMS phishing) campaign targeting toll users. They are mimicking toll road operators such as E-ZPass, Sunpass, EZDriveMA, among others to phish for information related to payments (think: billing addresses past and present, card numbers, expiration dates, etc)

Phishing texts trick Apple iMessage users into disabling protection

Bleeping Computer

Threat actors are crafting phishing texts designed to get a target to respond; if a user responds, Apple's built-in phishing protection is automatically disabled, which can enable malicious links.

Microsoft catches Russian state-sponsored hackers shifting tactics to WhatsApp

Cyberscoop

Kremlin State-sponsored APT "Star Blizzard" (as tracked by Microsoft) launched a phishing campaign observed in November 2024 designed to ultimately gain access to targets' WhatsApp messages. They sent messages containing a deliberately broken QR code then followed by a malicious link.

Keep in mind these tactics could reliably work on other messaging platforms as well. Users are advised to refrain from clicking on unsolicited links (even from people you know as their account could be hijacked) or scanning random QR codes.

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Malwarebytes

This is Google Ads malvertising inception. In this campaign, threat actors use malicious Google Ads (commonly found in Google Search "Sponsored" results section) to redirect to fake login pages for Google Ads; the threat actors are attempting to specifically phish for the credentials of users with Google Ads accounts... likely to buy even more ad space for malicious campaigns!

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Negative changes

Opting Out of Gmail's Gemini AI Summaries Is a Mess. Here's How to Do It, We Think

404media

On 15 JAN 2025, Google announced it would be incorporating various Gemini capabilities into workspace by default - something usually for business or enterprise use. However, I am including it here as some small businesses may use Google Workspace (or, you may be affected at your employer who may use it). According to 404media, attempting to opt-out of this is cumbersome and not clear.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

Allstate car insurer sued for tracking drivers without permission

Bleeping Computer

The Texas Attorney General filed a lawsuit against Allstate and its data subsidiary Arity for collecting, using, and selling driver data from over 45 million US persons without their knowledge or consent. Allegedly, the two companies paid app developers in "widely used" mobile apps to gather location and movement data of users.

Allstate also allegedly purchased location data from other car manufacturers such as Jeep, Toyota, Mazda, and Dodge.

GDPR complaints filed against TikTok, Temu for sending user data to China

Bleeping Computer

Non-US related, but still interesting. Non-profit privacy advocacy group "None of Your Business" filed complaints against TikTok, AliExpress, SHEIN, Temu, among other Chinese companies alleging they unlawfully transferred European user's data to China - violating the EU's GDPR.

Legislation and Regulation

FTC Finalizes Changes to Children’s Privacy Rule Limiting Companies’ Ability to Monetize Kids’ Data

Federal Trade Commission

FTC updates COPPA to:

• Require opt-in consent for targeted advertising and other disclosures to third parties. Specifically, parents must opt-in to third-party advertising.
• Limit data retention.
• Increase Safe Harbor programs' transparency.

FTC Finalizes Order Prohibiting Gravy Analytics, Venntel from Selling Sensitive Location Data

Federal Trade Commission

The FTC will ban Gravy Analytics and its subsidiary, Venntel, from selling "sensitive location data" except in limited cases involving national security or law enforcement requests.

Context: Gravy Analytics was breached by threat actors, who leaked millions of location data points collected from millions of unsuspecting users' mobile devices. Gravy Analytics engaged in rather shady behavior to collect these data points, such as taking advantage of the real-time bidding process of programmatic and targeted advertising in mobile apps.

FTC Takes Action Against GoDaddy for Alleged Lax Data Security for Its Website Hosting Services

Federal Trade Commission

FTC accuses GoDaddy of unreasonable security practices such as failing to since at least 2018:

• Failing to update vulnerable software
• Assess risks to its shared hosting services
• Log and monitor security-related events
• Segment shared hosting from less-secure environments

FTC also alleges GoDaddy misled customers on the security of its services by claiming it was in compliance with various frameworks.

FTC Takes Action Against General Motors for Sharing Drivers’ Precise Location and Driving Behavior Data Without Consent

Federal Trade Commission

The FTC bans General Motors and Onstar from sharing location data and driver behavior data to consumer reporting agencies. FTC alleges this data was collected without "affirmative consent" This data has been used to set insurance rates (usually results in hikes).

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data breaches

Experimenting with Stealer Logs in Have I Been Pwned

HaveIBeenPwned

This is not a data breach, but since HaveIBeenPwned is a widely used data breach database, it has been included here.

The popular data breach database, HaveIBeenPwned, is finally experimenting with loading information stealer logs into its database; email addresses in stealer logs can be queried in HIBP to discover which websites they've had credentials exposed against. Requires verification of their email address via the notification service.

PowerSchool data breach victims say hackers stole ‘all’ historical student and teacher data

TechCrunch

This is a development in the PowerSchool data breach saga. Some customers (school districts) affected by this breach stated that the threat actors accessed all "historical student and teacher data." Some customers are accusing PowerSchool of failing to take basic measures in securing affected systems.

Additionally, the data breach reportedly affects former customers of PowerSchool.

Wolf Haldenstein law firm says 3.5 million impacted by data breach

Bleeping Computer

It's advised that if you did business with Wolf Haldenstein - whether as a client, employee, contractor, etc - then you should inquire how this breach affects you.

Data compromised includes:

• Full names
• SSNs
• Employees (?)
• Identification numbers
• Medical diagnoses
• Medical claim information

Otelier data breach exposes info, hotel reservations of millions

Bleeping Computer

This breach originally occurred in July 2024, with the threat actors allegedly maintaining access to the hotel management platform, Otelier's, Amazon S3 cloud bucket until October 2024.

According to Troy Hunt, the data has been loaded in Have I Been Pwned. Among the dataset are at least 1.3 million unique email addresses not already in Have I Been Pwned's breach database.