This is a news item roundup of privacy or privacy-related news items for 9 FEB 2025 - 15 FEB 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Privacy Tip of the Week

Try to remember deleting accounts you no longer need or use. The more accounts you have, the bigger your attack surface and potential exposure to data breaches. Tips for finding old accounts.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

Google's reCAPTCHA is not only useless, it's also basically spyware

Techspot

This study demonstrates Google's reCAPTCHA v2 and v3 are flawed and don't actually keep out bots. The research also shows that reCAPTCHA relies on fingerprinting (collecting "user agent data and other identifying information") and shares this data with advertisers.

The Murky Ad-Tech World Powering Surveillance of US Military Personnel

WIRED

This is mostly a continuation of another WIRED article where they detailed how Ad-Tech got the personal information and location data of US military members stationed in Germany. This article reveals that a Lithuania-based business acquired this information but would not disclose how they obtained it specifically.

Revealed: gambling firms secretly sharing users’ data with Facebook without permission

The Guardian

The Meta Pixel strikes again. Gambling sites - that users visit - have the Meta Pixel embedded in their code, sending data on users to Meta, who then displays targeted ads to users. The users claimed to have never opted into tracking; but the Meta Pixel automatically captured their information and pushed it to Meta.

This primarily centers on the UK. However, given the prevalence of the Meta Pixel on many of the world's most popular websites, it's relevant enough to include here.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Proton Wallet brings safe Bitcoin self-custody to everyone

Proton

Proton has publicly released its self-custody Bitcoin wallet.

Introducing Bitwarden Cupid Vault to securely share (and unshare) passwords with loved ones

Bitwarden

Bitwarden has already had the ability to securely share passwords. The Cupid Vault Configuration follows a similar approach.

Privacy Services

Mullvad has partnered with Obscura VPN

Mullvad

Mullvad announces its partnership with ObscuraVPN; Mullvad WireGuard VPN servers can be used as the exit hop for the two-party VPN service offered by ObscuraVPN.

Single sign-on (SSO) and password generator rules are now available for Proton Pass

Proton

Proton Pass now supports single sign-on and allows setting of password generator rules.

Kagi Search introduces Privacy Pass and Tor onion service for enhanced privacy & anonymity

AlternativeTo

Kagi launched a Tor onion service. Kagi also introduces Privacy Pass, which allows users to authenticate to servers (like Kagi's) without revealing their identity; this should ensure searches are unlinkable to accounts.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable

This week was a Patch Tuesday (11 FEB) from Microsoft. According to Tenable, Microsoft patched 55 CVEs.

CVE-2025-21418. Escalation of privilege in the Ancillary Function Driver for WinSock on Windows. When exploited, an authenticated attacker could elevate to SYSTEM level privileges. This has been exploited in the wild as a zero-day.

CVE-2025-21391. Another privilege escalation vulnerability, but in Windows Storage. When exploited, a local authenticated attacker could delete (but not necessarily read) files from a system, which could result in data loss. This has been exploited in the wild as a zero-day.

CVE-2025-21194. Publicly disclosed security feature bypass affecting the Microsoft Surface. Successful exploitation requires an attacker getting access to the same network as the device and convincing the user to reboot their device.

Apple Patches 'Extremely Sophisticated Attack' That Can Hit iPhones

PCMag

Apple released an emergency update (18.3.1) to iOS. This patch fixes a vulnerability where USB Restricted Mode can be disabled on iPhones; this vulnerability has reportedly been exploited by law enforcement to access a locked iPhone. Tracked as CVE-2025-24200.

Apple describes the zero-day as a highly sophisticated attack against a targeted individual.

New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale

GreyNoise

Threat actors are attempting to exploit a local file inclusion vulnerability (tracked as CVE-2022-47945) in ThinkPHP and an information disclosure vulnerability (tracked as CVE-2023-49103) in ownCloud. While these are "old" vulnerabilities, there has been a recent notable wave of active exploitation looking to exploit vulnerable instances.

Google fixes flaw that could unmask YouTube users' email addresses

Bleeping Computer

A vulnerability in internal APIs; specifically, the API leaked a user's "Gaia ID," which is meant for internal-to-Google use only for identification between Google's services and sites. This could be use to identify users on YouTube.

Malware

Valve removes Steam game that contained malware

TechCrunch

A game (PirateFi) on Steam was actually malware in disguise. It was removed by Valve; Valve sent a message to users who downloaded the game, telling them to "consider fully reformatting your operating system" and to "run a full-system scan using an antivirus product..."

Magecart Attackers Abuse Google Ad Tool to Steal Data

darkreading

Threat actors exploit Google Tag Manager, which is commonly found on many ecommerce websites. In particular, they're targeting ecommerce sites using Magento The threat actors inkect their malicious JavaScript code to steal credit card information.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

Storm-2372 conducts device code phishing campaign

Microsoft Security

Kremlin-backed (Russian) APT group use "device code phishing" to take over Microsoft 365 and related accounts. "Device code phishing" involves tricking users, enticing them to log into productivity apps while the APT group captures the token. The campaign has been ongoing since around AUG 2024.

Phishing evolves beyond email to become latest Android app threat

MalwareBytes

Phishing is typically thought of as a threat that comes over email (and with good reason, considering the high amount of email phishing attacks). However, recent trends shows that malicious/phishing Android apps are rapidly becoming a popular phishing vector.

Scams

Fake Etsy invoice scam tricks sellers into sharing credit card information

MalwareBytes

This scam primarily targets Etsy sellers. The scammers pose as Etsy support, sending targets emails with PDFs (hosted on a legitimate Etsy domain); these emails/PDFs encourage the target to enter their credit card information under the guise of "confirming your identity."

Romance Scams Cost Americans $697.3M Last Year

Infosecurity Magazine

A report indicates approximately 59k Americans fell victim to romance scams in 2024; these victims lost an estimated $697.3 million. Many of these romance scams evolve into fake cryptocurrency scams. The report acknowledges romance scams are vastly under reported.

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Discord now lets you quietly block people

TheVerge

Discord allows users to Ignore users without definitively blocking them. Even though ignored users can still see profile activity of those who Ignore them, they will not be alerted to being Ignored.

Senator Pushes Zuckerberg on "Perverse Abuse" of Nudify Ads After 404 Media Report

404Media

This isn't a policy change, per se. More like another messy Meta advertising ecosystem fail. Boils down to Meta allowing ads on its platforms that clearly violate its own policies to run on the platform. In this specific case, the ads featured AI generated non-consensual nudity of various Instagram models.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

EFF Sues OPM, DOGE and Musk for Endangering the Privacy of Millions

EFF

The lawsuit, filed by EFF and other privacy defenders, focuses on asking the federal courts to stop OPM from disclosing millions of to Elon Musk and DOGE.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data breaches

China’s Salt Typhoon hackers continue to breach telecom firms despite US sanctions

TechCrunch

More on the Salt Typhoon saga. Salt Typhoon continues to breach US and other global telecomms.

Users are encouraged to continue to use encrypted communications (SMS is not encrypted).

Data leaks

Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World

The New Republic

On its newly launched website (which was hacked on 13 FEB 2025), DOGE supposedly leaked classified information on its website about the headcount of the National Reconnaissance Office (NRO).

2.7 Billion Records Exposed in IoT Devices Data Breach

vpnMentor

A publicly exposed database belonging to Mars Hydro. The exposed database leaked 2.7 billion records; these records contained logging, monitoring, and error records for IoT devices sold worldwide.

12 Million Zacks accounts leaked by cybercriminal

MalwareBytes

This leak is unconfirmed as of writing. A threat actor claims to have breached Zacks in JUN 2024. The leaked data supposedly contains usernames, emails, addresses, full names, and phone numbers. The data may also contain timezone information, date of last password change, and registration date.