
Privacy Roundup: Week 5 of Year 2025
This is a news item roundup of privacy or privacy-related news items for 26 JAN 2025 - 1 FEB 2025. Information and summaries provided here are as-is for warranty purposes.
Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.
Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.
Privacy Tip of the Week
Buying something online? Double check you're not automatically opted in to marketing emails before finalizing your order. Consider using a masked email for your purchase.
Surveillance Tech in the News
This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.
California Law Enforcement Misused State Databases More Than 7,000 Times in 2023
EFF
Of the 7,275 record of violations across California reported to the state's Department of Justice, 6,789 of the abuse cases were committed by the Los Angeles County Sheriff's Department (LACSD). These violations specifically concern a rule against searching databases to run background checks for concealed carry firearm permits.
Privacy Tools and Services
Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com
Privacy Tools
Adding more security to Bitwarden user accounts
Bitwarden
Starting in February 2025, for accounts that do not have 2FA enabled, Bitwarden will start sending OTP codes to user emails in the event an unrecognized device logs into the vault.
Privacy Services
A Synchronized Start for Linked Devices
Signal
Signal introduces the ability to sync/transfer messages to other linked devices. The process is end-to-end encrypted.
For privacy: Change of our refund policy from 30 to 14 days
Mullvad
To reduce the retention of user data, Mullvad has changed its refund policy from 30 to 14 days.
Vulnerabilities and Malware
Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.
This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.
Vulnerabilities
Apple’s latest patch closes zero-day affecting wide swath of products
Cyberscoop
Apple has released iOS 18.3, which comes with numerous security fixes. This includes a fix for a zero-day, tracked as CVE-2025-24085; it is a use-after-free memory vulnerability in CoreMedia. When exploited, it could allow installed malicious applications to elevate their privileges.
iOS 18.3 also enables Apple Intelligence for users by default.
OAuth Flaw Exposed Millions of Airline Users to Account Takeovers
darkreading
A major provider for online travel services, including hotels, car rentals, and booking flights had misconfigured its Oauth authentication flow.
This flaw, which allowed the attackers to redirect inputted credentials to a server under their control, could allow for account takeovers; giving the attacker full access to a victim's stored information - which for airlines would include personal information alongside rewards and mileage data. It could be exploited by sending users a malicious link that appears to be genuine.
The vulnerability is now fixed as of writing.
Apple chips can be hacked to leak secrets from Gmail, iCloud, and more
ArsTechnica
Newer Apple chips, which power the latest releases of iPhones and Macs, are vulnerable to side channel attacks. In most cases (including this one), the side channel attacks "attack" a chip's use of speculative execution. The attack relies on certain conditions being met, such as the user using the precise combination of device/chip/browser to be affected.
Infrastructure Laundering: Blending in with the Cloud
Krebs on Security
This isn't a vulnerability, but rather an interesting look at how threat actors abuse cloud service providers such as AWS and Microsoft to host their infrastructure - which can include phishing pages, illegal gambling sites, scams, and pages used to serve malware.
Threat Actors Target Public-Facing Apps for Initial Access
Infosecurity Magazine
May especially be relevant for apps developers/maintainers and those who self-host on the public cloud. In Q4 of 2024, Cisco Talos observed threat actors increasingly exploiting public-facing web apps and services to gain initial access onto a network.
Malware
New Syncjacking attack hijacks devices using Chrome extensions
Bleeping Computer
Syncjacking is a multi-phase attack that originates with the threat actor creating a malicious Google Workspace domain; the threat actor then publishes a seemingly useful (but actually malicious) extension to the Chrome Web Store.
Upon opening a legitimate Google support page, the extension injects content into the page, abusing its read/write permissions. It encourages the user to enter their credentials, and when they do so, all the stored data is accessible to the attacker.
Subsequently, with the profile hijacked, the attackers could then take over the browser using another legitimate link, which turns malicious because of the read/write capability (and thus, content injection) of the installed extension. With the browser compromised, attackers could then abuse Chrome's Native Messaging API to communicate with the operating system.
WhatsApp says it disrupted a hacking campaign targeting journalists with Paragon spyware
TechCrunch
Meta (who owns WhatsApp) disrupted a hacking campaign targeting approximately 90 users - most of them being journalists. The hacking campaign used malicious PDFs sent via WhatsApp groups to compromise targets with Paragon spyware.
While this campaign was extremely targeted, I included it because it highlights the importance of vigilance when using messaging platforms; users should be exercise caution when sent unsolicited links or attachments.
North Koreans clone open source projects to plant backdoors, steal credentials
The Register
A large-scale supply chain attack by North Korean APT group "Lazarus" involved cloning legitimate open source software, putting in backdoors, and then hosting/sharing the malicious versions on places like Gitlab. The goal appeared to be stealing credentials, authentication tokens, and other sensitive information.
Hackers are hijacking WordPress sites to push Windows and Mac malware
TechCrunch
Threat actors exploit outdated versions of WordPress and WordPress plugins to modify websites - some of which are high-ranking in search engines and/or popular - to potentially deliver information stealers to unsuspecting users. There is evidence this is a large campaign that doesn't target any websites in particular, but the campaign seems to focus on delivering information stealers to Windows (SocGholish) and Mac (Amos Atomic Stealer) users.
ClickFix vs. traditional download in new DarkGate campaign
MalwareBytes
Apparently, threat actors do A and B testing of conversions (malware downloads) as well; MalwareBytes discovered a campaign impersonating Notion using two distinct methods - ClickFix and "traditional downloading" - to infect users with DarkGate, a malware loader. This campaign used malvertising via Google Ads to increase the chances users would interact and potentially download/install the malware.
Phishing and Scams
Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.
Phishing
DeepSeek’s popularity exploited by malware peddlers, scammers
HelpNet Security
Threat actors have been taking advantage of the sudden massive rise in popularity and interest of Chinese AI platform DeepSeek. Threat actors impersonate the DeepSeek brand via fake apps, web pages, and browser extensions in order to load malware onto users' devices and/or peddle scams.
Hidden in Plain Sight: PDF Mishing Attack
Zimperium
A large-scale campaign (over 20 malicious PDF files and 630 phishing pages) appeared to exclusively target mobile devices in order to deliver malicious PDFs. This campaign primarily impersonates the United States Postal Service (USPS) and uses a novel obfuscation technique to deliver its payload.
Microsoft advertisers phished via malicious Google ads
MalwareBytes
If you remember in Week 4 of the Privacy Roundup, MalwareBytes reported a malicious Google Ads campaign targeting Google Advertisers in order to hijack their accounts so they could push more malicious Ads in Google's ecosystem. Turns out there is a similar campaign designed to phish the credentials of Microsoft Ads/Bing Ads account holders; threat actors are impersonating Microsoft in Google Search Ads, using various techniques such as cloaking and white pages to evade detection.
Threat Actors Exploit Government Website Vulnerabilities for Phishing Campaigns
Cofense
Threat actors abuse the .gov
top-level domains ultimately to phish users out of their credentials and personal information. Many of these .gov
domains abuse open redirects, which forward users to web pages impersonating government agencies.
Service Providers' Privacy Practices
This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.
Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.
Google Play will now verify VPNs that prioritize privacy and safety
The Verge
In an effort to promote more transparency and security in the Play Store, Google has introduced a verification process/badge for VPN apps. To qualify, VPN apps must complete MASA Level 2 validations, have at least 10k installs, have at least 250 reviews, be published on Google Play for at least 90 days, disclose how they collect user data, and opt in to independent security reviews.
January Windows 10 preview update force installs new Outlook
Bleeping Computer
Windows 10 users who install January 2025's KB5050081 non-security previous update will be forced to have the "new Outlook." The new Outlook client will run alongside the legacy one. According to Microsoft, since Windows 10 reaches EOL in October 2025, this is to "help simplify the transition to Windows 11..."
Legislation/Regulations/Lawsuits
Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.
Lawsuits
Lawsuit accuses Amazon of secretly tracking consumers through cellphones
Reuters
Amazon is facing a lawsuit alleging that it secretly collected location data through users' cellphones and sold that data. Specifically, it alleges that Amazon provided app developers with Amazon Ads SDK so that they could embed it in their apps to collect this location data.
Lawsuit claims systems behind OPM governmentwide email blast are illegal, insecure
Fedscoop
According to the lawsuit, OPM did not perform a privacy impact assessment of its on-premise email server; this email server in question stores response information and other PII. Additionally, the lawsuit alleges that a chief information officer or equivalent has not signed off on an assessment.
$45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks
ClassAction.org
MGM will pay a $45 million settlement to resolve class action lawsuits over data breaches that occurred in July 2019 and September 2023.
Legislation and Regulation
Texas Governor Orders Ban on DeepSeek, RedNote for Government Devices
SecurityWeek
Texas governor bans Chinese-owned DeepSeek, RedNote, and Lemon8 apps from Texas state-issued devices.
Data Breaches and Leaks
Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.
Will not cover every data breach, naturally, due to frequency and scale.
Data breaches
Mega Data Breaches Push US Victim Count to 1.7 Billion
Infosecurity Magazine
This is not a data breach. The non-profit Identity Theft Resource Center (ITRC) indicates that the data breaches of year 2024 resulted in over 1.7 billion US breach victim notifications.
Note: There aren't 1.7 billion US citizens. A lot of these breaches have had overlapping victims; the research states that 1.73 billion breach notifications were given.
Ransomware attack disrupts New York blood donation giant
Bleeping Computer
The New York Blood Center suffered a ransomware attack from an unknown (at time of writing) threat actor. The New York Blood Center is one of the world's largest independent blood collection/distribution organizations.
Currently, the investigation is still ongoing though the organization hasn't indicated what information was compromised. Given the potential scale of the breach, I included this here for your situational awareness - in most ransomware cases, personal information is stolen and may be leaked/sold later on.
PowerSchool begins notifying students and teachers after massive data breach
TechCrunch
Continuation of the PowerSchool data breach saga. Edtech giant PowerSchool has started giving notice to individuals affected by the DEC 2024 data breach. Total affected is unknown as of writing, however, evidence points to millions of students confirmed affected. Data compromised varies.
Community Health Center Data Breach Affects 1M Patients
darkreading
Community Health Center (CHC) suffered a breach where the unknown (at time of writing) threat actor stole PII of over than a million patients. Data compromised includes:
- Names
- DOBs
- Addresses
- Phone numbers
- Emails
- Medical information (diagnoses, treatment details, test results)
- SSNs
- Health insurance information
CHC has started giving notification to affected patients.
Data leaks
DeepSeek exposed internal database containing chat histories and sensitive data
TechCrunch
Wiz Research discovered a misconfigured back-end database belonging to Chinese AI company DeepSeek. The exposed database was not password protected and leaked potentially sensitive data, such as user chat histories and API keys.
AngelSense exposed location data and personal information of tracked users
TechCrunch
AngelSense provides location monitoring technologies (ex: GPS trackers and location monitoring) for people with disabilities. The company left an internal database exposed to the internet without a password. The database was in active use, storing real-time logs from an AngelSense system. The information exposed includes personal information of AngelSense customers - such as names, addresses, GPS coordinates of monitored people, email addresses, authentication tokens, and more.