728 x 90

Your period tracker is (probably) spying on you

Your period tracker is (probably) spying on you

Saint’s Hours Drone video footage from the Francisco Police Department exposed on the open web illustrates a new era of incredibly granular and momentous urban surveillance. Meanwhile, the San Francisco City Attorney’s Office sent cease-and-desist letters to Apple and Google this week demanding that the tech giants remove from their app stores 13 AI-nudifying “face-swapping”

Saint’s Hours Drone video footage from the Francisco Police Department exposed on the open web illustrates a new era of incredibly granular and momentous urban surveillance. Meanwhile, the San Francisco City Attorney’s Office sent cease-and-desist letters to Apple and Google this week demanding that the tech giants remove from their app stores 13 AI-nudifying “face-swapping” apps that are used almost exclusively to target women and girls.

Since WIRED first reported on Meta’s NameTag facial recognition system in June, company executives have made opaque and contradictory comments about whether the feature exists. We took a step back to lay out both the claims and facts about the actual system.

In a speech on Thursday, President Donald Trump continued to push baseless and completely debunked claims about interference in the 2020 US election. He even promised massive revelations in a trove of documents posted on the White House website, but the filings did not substantiate his claims and, in some cases, actually contradicted Trump’s claims.

As the adoption of AI tools rapidly expands and their capabilities increase, tech giant Anthropic continued to push for US states to regulate AI. Speaking about AI transparency requirements in California and New York last year, Anthropic’s head of US state and local government relations César Fernández told WIRED this week: “The transparency-focused security bills of 2025 were a really important start, but as the capabilities of AI systems continue to advance rapidly, policy responses must match.”

And there is more. Each week, we round up the security and privacy news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

Stardust, an astrology-themed period tracker, sends users’ reproductive health details (type of birth control, pregnancy status, moods, and symptoms as specific as breast tenderness and stomach cramps) to a data company not mentioned in its privacy policy, according to the BBC, which first reported on a Mozilla Foundation audit of six popular trackers produced in partnership with Harvard’s Berkman Klein Center.

Stardust scored 2 out of 10, the worst of the group. Mozilla researcher Shoshana Wodinsky found that the app pings third-party trackers from the moment it is opened, before the user enters anything; The instant you logged a symptom, the details went to analytics firm RudderStack along with a persistent user ID, with no way in the app to close the exchange. RudderStack is designed to route data to destinations that Mozilla could not observe. Stardust also provides Facebook with an ad identifier that links in-app behavior to existing profiles on the platform. The company told TechCrunch that it has never received a legal demand for user data.

Euki, a nonprofit tracker, scored a perfect 10: No account required, health data never leaves the phone, and users can set a PIN, schedule automatic deletion, or open a decoy screen if someone pries open the phone. Its only weakness is an in-app browser for educational pages that loads the usual web trackers, but also resets identifiers between visits.

Russia’s FSB has long had a reputation for highly sophisticated cyberespionage, leaving disruptive cyberattacks in the hands of fellow hackers at the country’s GRU military intelligence agency. But EU and UK sanctions this week, along with a notice from the US Cybersecurity and Infrastructure Security Agency, the FBI and the NSA, flagged a cyberattack against the Polish power grid at FSB Center 16, a rare example of how the Kremlin agency carried out a cyberattack that nearly caused outages to the country’s electricity and water utilities. The attack, which the Polish government said came “very close” to causing a blackout, was initially attributed by cybersecurity firms Dragos and ESET to Sandworm, also known as GRU Unit 74455, a more common suspect in infrastructure hacking given its active role in Russia’s long cyber war against Ukraine. But the Polish computer emergency response team at the time disputed that finding and linked the attack to the FSB, a conclusion now supported by a broad consensus of Western governments. The incident suggests that the FSB may be taking on some of the reckless and highly aggressive tendencies (and attacks) of its GRU co-workers.

For years, the Russian cybersecurity company Kaspersky has been accused of having ties to the Russian government, including by US officials who banned the use of the company’s products within the US government and, eventually, by all US customers. However, overt evidence of those connections has been scarce. Now Reuters reports that Denis Obrezko, a Russian man facing hacking charges in Boston and an alleged member of a hacking group known as Void Blizzard or Laundry Bear, spent two years working at Kaspersky. His time at the company took place just before he joined another cybersecurity firm, Yutek-NN, where he allegedly participated in the group’s hacking campaign that stole data and communications from numerous NATO governments and at least 11 U.S. companies, according to U.S. prosecutors. Before Kaspersky, Obrevko also allegedly worked at the FSB, clearly rounding out his time at the company with apparent work for Russia’s intelligence services.

Obrevko pleaded not guilty to computer hacking charges. Kaspersky responded in a statement to Reuters that “the charged offenses cannot be related to the individual’s role or responsibilities during employment at Kaspersky.”

In an incident that will induce anxiety in anyone responsible for evaluating suspicious network activity, DHS officials ruled (twice) that signs of a hacker breach of its National Security Information Network data-sharing platform were false positives when, in fact, they were signs of a very real intrusion. HSIN, used to share unclassified data between state, local and federal agencies, as well as foreign partners, was breached by hackers two months ago, according to a Nextgov/FCW report. Analysts at the Federal Emergency Management Agency detected signs of hacker activity in mid-May — altering files and code, hijacking a legitimate web server and deleting records of their behavior — but the findings were dismissed as a false positive.

In the weeks that followed, the hackers returned, were detected again, and again dismissed as a mirage. It’s unclear why the breach signals were misjudged, but the incidents may represent growing challenges for federal analysts in detecting “off-the-ground” hacking techniques that use legitimate network features to access target assets on a network rather than planting easier-to-detect malware. While the HSIN only houses unclassified data, the information is “highly sensitive,” Senate Intelligence Committee Vice Chairman Mark Warner said in a statement following the breach report, and “its exposure puts national security at risk.”

Music AI startup Suno pulled millions of songs, lyrics and podcasts from YouTube Music, Deezer, Genius and a host of stock audio libraries to train its models, according to 404 Media, which reviewed internal data provided by a hacker who breached the company. The intrusion also exposed account information for hundreds of thousands of customers, including emails, phone numbers, and Stripe payment records.

The dataset notes in the source code apparently from 2023 and 2024 add up to 113,879 hours of audio from YouTube Music alone, plus tens of thousands more from Pond5, Deezer, and other libraries—decades of music in total. Other files show Suno routing its YouTube through Bright Data proxy servers and using PodcastIndex to target approximately 1 million hours of podcasts. The hacker, who goes by the name ellie.191, says they broke in by compromising an employee with the Shai-Hulud worm.

The files apparently corroborate the recording industry’s central allegation that Suno lifted songs directly from YouTube. The company, which argues its training qualifies as fair use and settled with Warner Music Group last November, said the breach involved outdated code and no sensitive personal information, although customers whose data appeared in a sample shared with 404 Media said they were never notified.

Check back often for more exciting news!

Posts Carousel

Latest Posts

Top Authors

Most Commented

Featured Videos