This is a news item roundup of privacy or privacy-related news items for 16 FEB 2025 - 22 FEB 2025. Information and summaries provided here are as-is for warranty purposes.

Note: You may see some traditional "security" content mixed-in here due to the close relationship between online privacy and cybersecurity - many things may overlap; for example, major vulnerabilities in popular software, which may compromise the security of user's devices (and therefore pose a threat to their privacy) and large data breaches where significant personal information is exposed.

Items presented here are typically curated with the end user and small groups (such as families and small/micro businesses) in mind. Due to this focus, items primarily affecting enterprises or large organizations may not be included, even if they are widespread or "popular" stories.

Privacy Tip of the Week

If you're filling out a field in a form, double check the field you're filling out is actually required. Avoid giving more data than needed.

Surveillance Tech in the News

This section covers surveillance technology and methods in the news. Specifically, stories and news items where public and/or private organizations have leveraged their capabilities to encroach on user privacy; for example, data brokers using underhanded means to harvest user location data without user knowledge or public organizations using technology without regard for user privacy.

X now blocks Signal contact links, flags them as malicious

Bleeping Computer

Twitter/X has started flagging signal.me links, a URL used by Signal to share account information with someone else, as malicious.

DeepSeek found to be sharing user data with TikTok parent company ByteDance

MalwareBytes

A South Korean agency claims to have found evidence that DeepSeek is "secretly sharing data with" ByteDance (the parent company of TikTok). Allegedly, every time the user opens the DeepSeek app, it transmits information to ByteDance servers.

Privacy Tools and Services

Primarily covers tools and services with a focus on maintaining/improving/respecting user privacy. Generally includes recommended services/tools found on avoidthehack, but also may feature upcoming/other privacy services not necessarily recommended or promoted by avoidthehack.com

Privacy Tools

Introducing Pi-hole v6

Pi-hole Blog

Pi-hole version 6 introduces multiple changes. Most notably, it eliminates the need for lighttpd and php by using a new REST API and embedded web server into the pihole-FTL binary. Version 6 also introduces subscribed allowlists, consolidated configuration files (which streamlines configuration management), a redesign user interface, and native HTTPS support.

135.0.1 Firefox Release

Mozilla

Firefox version 135.0.1 features bug fixes and a fix for a high-severity memory safety bug, that if exploited, could allow running arbitrary code.

Replacing balenaEtcher with Rufus as installer for Windows

Tails

Tails no longer recommends balenaEtcher in its installation instructions for Windows. This change came about due to a 2024 change in balenaEtcher; specifically, the tool allegedly shares the file name of the image and model of the USB stick with Balena and possibly with third parties.

Tails will now recommend Rufus (developed by Akeo Consulting).

Privacy Services

Key rotation issue fix in IVPN iOS app – update required

iVPN

iVPN fixes a potential DNS leak issue in its iOS app that could occur during WireGuard key rotation.

Privacy-focused messaging app Threema finally introduces emoji reactions in latest update

AlternativeTo

Threema introduces emoji reactions, a long-requested feature by users.

Ente Photos v0.9.98

ente Blog

Ente releases version 0.9.98 of Ente Photos. This version includes light mode for desktop, album deep links (links to albums will open on the app instead of the browser), the ability to search shared photos, adding faces to contacts (in a privacy-preserving and respecting way), and an end-to-end encrypted video streaming beta.

Vulnerabilities and Malware

Primarily includes severe and exploited vulnerabilities in devices or software used by end users (ex: a major router firmware flaw). Malware campaigns covered generally target/affect the end user.

This section will not contain every vulnerability/CVE or malware campaign reported, but will focus on those with the largest potential impact on a wide range of end users.

Vulnerabilities

Stable Channel Update for Desktop

Google Chrome Releases

Chrome version 133 introduces security fixes for 2 high severity vulnerabilities and 1 medium severity vulnerability.

Qualys TRU Discovers Two Vulnerabilities in OpenSSH: CVE-2025-26465 & CVE-2025-26466

Qualys

This is especially relevant for anyone who self-hosts or uses cloud services, as to manage services/servers frequently involves using SSH.

CVE-2025-26465. A machine-in-the-middle attack where the client may accept the attacker's key instead of the legitimate server's key. This could enable interception or tampering with the session without knowledge of the user; this could also result in manipulating sensitive data and/or hijacking sesssions. Requires VerifyHostKeyDNS option to be set to "yes" or "ask".

CVE-2025-26466. This is a pre-authentication denial of service attack; it eats up system resources, such as memory and CPU, that could make completing legitimate requests difficult or impossible. When exploited, this could result in a denial of service, which could cause service outages and make managing the affected servers difficult during the duration of attack.

These vulnerabilities have been addressed in OpenSSH version 9.9p2. Users are encouraged to update their servers and clients ASAP.

Malware

Hundreds of US Military and Defense Credentials Compromised

Infosecurity Magazine

Infostealer malware has allegedly compromised credentials from defense contractors and the US army and navy. This implies that at some point these employees/contractors/military members downloaded malware onto devices used for work.

XCSSET macOS malware returns with first new version since 2022

The Register

First resurgence of XCSSET since 2022, used in limited attacks as of writing. This is a malware that primarily targets macOS (and even more specifically, Apple developers), stealing information from digital wallets, Notes, and accessing data system files.

SecTopRAT bundled in Chrome installer distributed via Google Ads

MalwareBytes

Threat actors continue to use Google Ads to distribute malware. In this particular campaign, the bait is Google Chrome; users who click the malicious Google Ad links are directed to a malicious page. When the "Google Chrome Installer" is downloaded, it also drops SecTopRAT as a payload.

Google Docs used by infostealer ACRStealer as part of attack

MalwareBytes

Malware-as-a-service ACRStealer has been observed abusing legitimate platforms like Google Docs or Steam to read what a C2 domain is. Threat actors input the C2 name on the Google Doc; when the malware installed on the victim device makes a call to the C2 server, the traffic appears as going to Google Doc servers, decreasing the likelihood of raising alarm bells and triggering security controls.

An Update on Fake Updates: Two New Actors, and New Mac Malware

proofpoint

Proofpoint identified two new threat actors using "fake updates" (typically malicious websites using malicious JavaScript injections) to circulate a new macOS information stealer malware. They also state the web inject campaign landscape is growing in popularity.

Over 330 Million Credentials Compromised by Infostealers

Infosecurity Magazine

Infostealers are a massive threat. Specifically, in 2024, they are described as one of the "most significant initial access vectors" in the threat landscape.

Phishing and Scams

Covers popular phishing schemes affecting end users - smishing, vishing, and any new scam/phish tactics for deceiving end users. May overlap some with malware, but focuses more on the phishing tactics than details on a malware delivery/campaign information.

Phishing

How Phished Data Turns into Apple & Google Wallets

KrebsonSecurity

An interesting report looking at the evolution of carding. Carding is primarily just lifting card details and then using them for fraud. However, the "evolution" of carding goes further in registering stolen card credentials with mobile wallets they control. They may load these wallets onto mobile phones and then sell them.

They may also cash out these mobile wallets by using the "ghost tap."

Mobile Phishing Attacks Surge with 16% of Incidents in US

Infosecurity Magazine

According to a report by Zimperium zLabs, mobile phishing attacks in 2024 saw a sharp rise, with over 16% of incidents occurring in the US. The most common vectors for phishing on mobile were via SMS and messaging apps.

Scams

No, you’re not fired – but beware of job termination scams

WeLiveSecurity

You've heard of fake job offer scams and fake WFH scams, but now in the wake of the current job market climate, enter the job termination scam. The lures typically induce urgency in targets, enticing them to click on a malicious link pointing to a phishing page or triggering malware downloads onto the device.

Fake job offers target software developers with infostealers

WeLiveSecurity

A North Korean connected threat activity group (tracked in this video report as DeceptiveDevelopment) targets software developers with fake job offers. They trick targets into downloading malware that steals login credentials and drains cryptocurrency wallets. Specifically, the threat group uses spearphishing messages sent on job boards and freelance sites, enticing the target to download malware from private repositories.

Fake CS2 tournament streams used to steal crypto, Steam accounts

Bleeping Computer

Threat actors are using hijacked YouTube accounts to promote scams via "streamjacking." QR codes or links on these videos/streams point viewers to malicious websites encouraging users to login with their Steam credentials under the lure of "claiming their gifts" or receiving double the amount of sent cryptocurrency.

Beware: PayPal "New Address" feature abused to send phishing emails

Bleeping Computer

Ongoing PayPal scam abusing the address settings to send fake purchase notifications. The notifications are coming from service[@]paypal.com and appear to be legitimate emails; they are also bypassing security and spam filters. The emails are designed to trick users into calling the "PayPal support" phone number listed in the email, where a scammer on the other end attempts to hijack the PayPal account via social engineering tactics.

Service Providers' Privacy Practices

This section is dedicated to notable changes or developments in popular/large service provider's privacy practices.

Service providers listed here are not necessarily "privacy-focused," but may have privacy practice changes positively (ex: adopting end-to-end encryption for messaging or) or negatively (ex: increased sharing of data with affiliates) affecting a large amount of users.

Google now allows digital fingerprinting of its users

MalwareBytes

Google rescinded a 2019 policy that banned advertisers from fingerprinting. However, since 16 FEB 2025, advertisers using Google's advertising products can now use fingerprinting techniques. Fingerprinting techniques vary, but many are highly invasive, reliable in identifying users with surprisingly high accuracy, and essentially forcing a unique ID on them.

Apple pulls end-to-end encryption feature from UK after demands for law enforcement access

Cyberscoop

Update to the UK government ordering Apple to enable a backdoor in ADP, which was covered in Week 6. Apple pulled Advanced Data Protection from being available to UK users.

Google Chrome disables uBlock Origin for some in Manifest v3 rollout

Bleeping Computer

Google continues to rollout manifestv3 and disable manifest v2-based extensions like uBlock Origin.

Users of Chromium can download uBlock Origin Lite, also created by the original uBlock Origin developer. However, while this version is manifestv3 compliant, it doesn't have the advanced filtering capabilities of uBlock Origin.

Legislation/Regulations/Lawsuits

Predominately focused on legal/regulation privacy practices outlined in US law (ex: FTC banning certain companies from sharing location data), but large enough changes in EU law may also be covered here.

Lawsuits

California privacy regulator seeks to fine Florida data broker after huge breach of Social Security numbers

TechCrunch

This is in reference to the 2024 data breach of "National Public Data." California's privacy regulator asked a court to fine National Public Data $46,000 for failing to register as a data broker. However, National Public Data filed for bankruptcy not long after the breach, so this one may be up in the air.

Beverly Hills Plastic Surgeon Sued for Not Telling Patients Hackers Stole Their Nude Photos

404media

A Beverly Hills plastic surgery practice suffered back-to-back data breaches and allegedly did not give notice to affected patients, who had their personal information and nude photos leaked online. The lawsuit alleges the practice disregarded "basic security measures" for protecting information against unauthorized access or malicious attacks.

Data Breaches and Leaks

Generally covers large data breaches (or data leaks) exposing sensitive information of users - typically the focus is on US companies and on data breaches affecting primarily US citizens, though some exceptions are made depending on potential impact and scale.

Will not cover every data breach, naturally, due to frequency and scale.

Data leaks

Stalkerware apps Cocospy and Spyic are exposing phone data of millions of people

TechCrunch

Another day, another stalkerware app (well, in this case, apps) leaking personal information of victims. These apps go to lengths to remain covert on installed devices; their purpose is to collect data on the device and feed it back to a dashboard - typically, so that the person who installed it on the device can indulge in their surveillance.