This is a news item roundup of privacy or privacy-related news items for 2 FEB 2025 - 8 FEB 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Privacy Tip of the Week

Make sure to clear your clipboard after copying sensitive information such as passwords.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

The biggest breach of US government data is under way

TechCrunch

This is included for the privacy and cybersecurity ramifications of departing from basic information security principles. DOGE's near unfettered access to sensitive PII of tens of millions of Americans raises immense questions about whether the security minimal privacy rules put in place are in fact being followed.

U.K. orders Apple to let it spy on users’ encrypted accounts

ArsTechnica

The UK government issued a secret order demanding Apple implement a backdoor to let it retrieve anything any Apple user has uploaded to the cloud. The demand seeks and implies it would circumvent even the protections introduced with Advanced Data Protection or ADP (if enabled by a user), which introduces "true" end-to-end encryption (where Apple doesn't have the keys) for most data stored in iCloud.

Note: Not explicitly US-related, but given the UK's membership in the 5-eyes and Apple being a US company, and the EU's attempt to pass Chat Control over the last few years... this is certainly a news item worth paying attention to.

Spyware maker Paragon terminates contract with Italian government: media reports

TechCrunch

This campaign was included in Week 5 of the Privacy Roundup, where Meta disrupted a campaign on WhatsApp targeting approximately 100 users with Paragon Spyware. Some of these users were journalists critical of the Italian government. Paragon terminated the contract with the Italian government on 5 FEB 2025, alleging it had "broken the terms and service and ethical framework it had agreed to..."

Additionally, among the targets there were users in Austria, Belgium, Cyprus, Czech Republic, Denmark, Germany, Greece, Latvia, Lithuania, the Netherlands, Portugal, Spain, and Sweden.

Note: While this doesn't have a US-nexus, this is something probably worth paying attention to...

Spyware maker Paragon confirms US government is a customer

TechCrunch

This came before some of the revelations in the news item immediately preceding this one, "Spyware maker Paragon terminates contract with Italian government: media reports." The key takeaway here is that Paragon Solutions has a subsidiary in the US and confirmed it licenses its technology to "the United States and its allies."

TSA’s airport facial-recog tech faces audit probe

The Register

Senators inquired whether these facial recognition systems were having any meaningful impact - reduce expenses, reducing wait times, stopping "terrorists," beyond just being hi-tech "security theater." Consequently, the DHS Inspector General launched an audit of the TSA's use of facial recognition.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Firefox desktop 135.0 release notes

Mozilla

A bigger Firefox release (135) featuring progressive rollouts of optional AI chatbot access, credit card autofill, CRlite cert revocation checking, and incorporating safeguards for the history API to prevent abuse by websites.

This release also includes 11 security fixes: 7 classified as high, 4 as moderate, and 2 as low.

Open source YouTube client NewPipe releases v0.27.6 with some enhancements and bug fixes

AlternativeTo

This version fixes bugs such as HTTP 403 errors while playing videos and others which may prevent videos from loading.

Tails 6.12

Tails

Tails 6.12 has important security fixes, including preventing an attacker monitoring Tor circuits when another application in Tails is hijacked and preventing an attacker from changing Persistent Storage settings.

Using custom scriptlets to make the Web work the way you want

Brave

Brave introduces the ability for users to write and inject their own scriptlets into a web page for the Brave Browser (version 1.75).

Privacy Services

Mullvad VPN for Windows on ARM is here!

Mullvad

Mullvad VPN client is now available for Windows ARM desktops.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Experts Flag Security, Privacy Risks in DeepSeek AI App

Krebs on Security

NowSecure conducted a privacy and security review of the DeepSeek iOS app, finding numerous concerns:

• The app collects significant information about the user's device, including the actual device name. They even comment that this is on "the edge of advanced device fingerprinting."
• The app disables App Transport Security (ATS), an iOS platform level protection preventing sensitive data from being sent over unencrypted channels... so it sends device information in the clear, available for anyone listening to read and modify.
• It could be sharing/exposing information of users... just in Week 5 of the Privacy Roundup, DeepSeek had an internal database exposed to the internet.

Stable Channel Update for Desktop

Google Chrome Releases

Chrome version 133 includes 12 security fixes, including a high severity use-after-free vulnerability in the V8 JavaScript engine (CVE-2025-0445).

Chromium forks should incorporate these security fixes as soon as possible. Users should check with the maintainer for any forks for status on releases.

7-Zip 0-day was exploited in Russia’s ongoing invasion of Ukraine

ArsTechnica

This vulnerability was included in Week 4 of the Privacy Roundup. This vulnerability bypassed Windows protections from Mark of the Web. It had been patched by the maintainer in November 2024, but 7-zip doesn't auto update, so users may have been exposed for longer. While we could easily assume cybercrime threat actors would take advantage of this, this specific case shows nation-state backed APTs exploiting this in the wild.

Android security update includes patch for actively exploited vulnerability

Cyberscoop

First Android security update of 2025. The January 2025 Android bulletin includes fixes for 47 security vulnerabilities.

CVE-2024-53104. A vulnerability in the UVC driver in the Linux kernel that when exploited could enable privilege escalation, potentially allowing threat actors to execute arbitrary code. According to Google, this was being exploited in the wild in a targeted manner.

Note: Due to the nature of the Android ecosystem, most manufacturers are significantly slower in rolling out these security patches. Pixel users receive these patches quickly.

Netgear warns users to patch critical WiFi router vulnerabilities

BleepingComputer

Netgear has issued updates to firmware of various SOHO Wi-Fi router models, fixing a significant authentication bypass vulnerability.

Zyxel won’t patch newly exploited flaws in end-of-life routers

BleepingComputer

Public, in-the-wild exploitation of CVE-2024-40891 (command injection due to improper command validation) and CVE-2025-0890 (weak default credentials) targeting end-of-life Zyxel CPE series devices. Zyxel will not release security updates for these devices, citing that they are end-of-life; Zyxel recommends replacing them as quickly as possible.

AMD Patches CPU Vulnerability That Could Break Confidential Computing Protections

SecurityWeek

AMD released a fix for an improper signature verification in chip's microcode patch loaders. This circumvents Secure Encrypted Virtualization (SEV) protection and could allow attackers to load malicious microcode.

Malware

iPhone apps found on App Store with malware that reads your screenshots for key data

9to5Mac

This has been dubbed "SparkCat" and is the first known instance of OCR spyware listed on the App Store.

Kaspersky researchers have discovered OCR-abusing malware on both the Apple App Store and Google Play Store. This malware uses OCR to read screenshots; specifically, in this campaign, it scanned user's photo libraries to search for cryptocurrency wallet seed phrases.

Some affected apps were listed by threat actors, circumventing Apple's guardrails for listing on the App Store. Other apps appeared to be compromised without the developer's knowledge.

Analysis of an advanced malicious Chrome extension

Almost Secure

More examination of malicious extensions in the Chrome Web Store. This post in particular focuses on a single extension that went to lengths to hide its malicious nature. Conveniently, after the author attempted contact with the extension developer, an update to the extension effectively removing the malicious functionality was released.

Go Module Mirror served backdoor to devs for 3+ years

ArsTechnica

For over 3 years, an unknown threat actor set up a backdoored version of the Go Module Mirror by leveraging typosquatting in the package/file name - it was highly similar to the legitimate package. The threat actor also abused the design of the Go Module Proxy service to continuously serve the malicious version.

AI Malware Dressed Up as DeepSeek Packages Lurk in PyPi

darkreading

Leveraging the immense popularity of DeepSeek in the last few weeks, threat actors are passing off malware (specifically, information stealers) as DeepSeek packages in package repositories such as PyPi.

University site cloned to evade ad detection distributes fake Cisco installer

Malwarebytes

In this particular campaign, threat actors leverage malvertising (specifically, Google Search Ads) and the cloning of a university website to target unsuspecting users with a fake Cisco AnyConnect download; the fake program loads NetSupport RAT onto the infected host.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

DeepSeek Phishing Sites Pursue User Data, Crypto Wallets

darkreading

Threat actors continue to leverage DeepSeek's immense popularity to stand up phishing sites designed to steal user data.

Cybercriminals Weaponize Graphics Files in Phishing Attacks

Infosecurity Magazine

Threat actors are increasingly using graphics files, such as SVG, to spread malicious links, malware, and by pass mail protection tools during email phishing attacks. SVG files are typically not considered a threat by many anti-spam tools; even when they are inspected, content scanning technology may still miss the malicious content contained inside the SVG file.

Scams

New scams could abuse brief USPS suspension of inbound packages from China, Hong Kong

Malwarebytes

This week the US Postal Service (USPS) announced it would suspend inbound packages from China and Hong Kong. Almost in the same day, it announced this would no longer be the case. Malwarebytes warns this insanely quick 180 could be leveraged by scammers - who regularly impersonate carriers such as the USPS, as well as UPS and Fedex.

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Rogue App or Safe? Unmasking Android System SafetyCore

TechWeez

This isn't a specific privacy change, but worth including here. In the last few weeks or so, users of Google Android devices have been reporting the sudden appearance of "Android System SafetyCore" on their devices. Apparently this app is authored by Google, triggering content warnings to prevent displaying "explicit material" and integrating with SafetyNet and Plat Integrity API. It appears to be a progressive rollout.

New Outlook's security issues: Businesses should avoid switching!

Tuta

Microsoft is beginning to "force" the new Outlook client (originally released in 2022) on users and businesses alike. The new Outlook appears to route all messages through Microsoft's cloud servers, even if using non-Microsoft email accounts. Login credentials are also stored in Microsoft's cloud rather than locally.

Cloudflare is making it easier to track authentic images online

The Verge

Cloudflare has launched a feature to help users "quickly verify the authenticity of online images." In doing so it has adopted the Content Credentials system, which sets a metadata tag to images and video to track who owns it and whether it has been manipulated.

This isn't an explicit privacy change, per se. Given how many websites use Cloudflare - and Cloudflare's own estimates claim they see 20% of the world's internet traffic, this could have some implications.

PyPI adds project archiving system to stop malicious updates

Bleeping Computer

PyPI's introduction of "Project Archival," which allows publishers to archive their projects, seeks to improve the security of the supply-chain. A common technique to spread malware involves threat actors hijacking developer accounts and pushing updates containing malicious code, such as information stealers and backdoors, to abandoned projects.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

Coalition of US states to file lawsuit after Musk’s DOGE gains access to Americans’ personal data

TechCrunch

Many US states have their own privacy laws, despite the US federal government failing to pass any blanket privacy legislation (outside of special cases such as HIPAA, etc). A coalition of states plan to sue in response to Elon Musk's DOGE team gaining access to federal systems containing sensitive PII of millions of Americans.

Coordinates of millions of smartphones feared stolen, sparking yet another lawsuit against data broker

The Register

This is part of the Gravy Analytics saga. Gravy Analytics is being sued yet again for its failing to protect personal data - most notably, the tens of millions of device location data they scraped from real-time ad bidding.

Legislation and Regulation

Key Issues Shaping State-Level Tech Policy

EFF

In 2024, more US States began passing "privacy laws" or enacting stronger protections (such as right to delete/forget) for their populations. In this aspect they are far ahead of the US federal government in addressing consumer-level privacy issues.

This is a look-back on key issues such as privacy, private right of action, right to delete and how they could shape digital rights legislation on the state-level in 2025.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data breaches

Grubhub serves up security incident with a side of needing to change your password

The Register

Grubhub, a popular US-based food and grocery delivery platform, has suffered a breach stemming from a security incident at a third-party service provider. While GrubHub didn't disclose the third-party service provider, it indicated it was a service provider for their support team; my guess is it's their ticketing system.

It's unclear (at time of writing) how many users, merchants, and drivers' personal data were compromised. Additionally, data accessed for individuals varies. Compromised data includes:

• Names
• Email addresses
• Phone numbers
• Card type and last 4 digits of card number
• Hashed passwords

Data leaks

Teen Mental Health App Sent Kids’ Data Straight to TikTok

Gizmodo

Talkspace, a telehealth company, was contracted by NYC to provide free online therapy to teens. However, a tracking pixel on the "NYC Teenspace," reportedly leaked personal identifiable information to social media giants - such as TikTok, Meta, Google, Twitter, Reddit, among others. This also affected landing pages for other cities (Baltimore and Seattle.)