Cybersecurity is the rickety scaffolding supporting everything you do online. For every new feature or app, there are a thousand different ways it can break – and a hundred of those can be exploited by criminals for data breaches, identity theft, or outright cyber heists. Staying ahead of those exploits is a full-time job, and one of the most lucrative and sought-after skills in the tech industry. All too often, it’s something up-and-coming companies decide to skip out on, only to pay the price later on.
The tool, which is built into DuckDuckGo’s browser, displays a warning message when you click on potentially dangerous sites. In addition to blocking phishing sites, malware, and common online scams, DuckDuckGo has expanded the tool to protect against fake online stores, phony crypto exchanges, and those obnoxious sites that falsely claim your device has a virus.
A 2023 breach of genetic testing company 23andMe that leaked sensitive data for millions of customers already led to a $30 million settlement and, eventually, bankruptcy for the company once valued at $6 billion. Now the UK is layering on a fine of just over $3 million for failing to protect the genetic data of 155,592 UK residents. It comes just days after co-founder and former CEO Anne Wojcicki said she was buying back the company’s assets for $305 million.
The Wall Street Journal reports that on Sunday, an internal memo from executive editor Matt Murray notified employees about an attack on on its email system, possibly by a foreign government. It also cites unnamed sources saying that the Microsoft accounts targeted included reporters on the national security and economic policy beats including some who write about China.
CNN says the outlet reset all employee logins on Friday, that Murray said they don’t believe it has had any impact on customers.
[Wall Street Journal]
The vulnerability, called “EchoLeak,” lets attackers “automatically exfiltrate sensitive and proprietary information” from Microsoft 365 Copilot without knowledge of the user, according to findings from Aim Labs.
An attacker only needs to send their victim a malicious prompt injection disguised as a normal email, which covertly instructs Copilot to pull sensitive information from a user’s account.
Microsoft has since fixed the critical flaw and given it the identifier CVE-2025-32711. It also hasn’t been exploited in the wild.
[bleepingcomputer.com]
Meta and Yandex were tracking Android users’ browsing data far more closely than they should have been, according to researchers. They bypassed the Android “sandbox” in some browsers, letting them de-anonymize users, track how they browse, and then use that data in native Facebook, Instagram, and Yandex apps.
Google is investigating the issue, saying that the companies used “capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles.” In statements to Ars Technica, Meta and Yandex said they have discontinued the tracking, while denying wrongdoing.
The company behind the Murena 2 smartphone and de-Googled Pixel Tablet has announced a new version of its operating system: /e/OS 3.0. It will make better use of the larger screens on tablets and give parents new tools for limiting screen time and app access.
The update also introduces a way to locate a missing device using SMS text messages without the need for internet access, and a new search engine called Murena Find.
On the list of apparel-related data breaches, Adidas was early to the trend. Then, the Victoria’s Secret website was offline for a few days last week as it dealt with a “security incident.”
Now, Bleeping Computer has two more to add to the list, reporting that Cartier has sent emails to customers informing them that info like name, email address, and country of residence was stolen, and that The North Face has apparently suffered its fourth reported credential stuffing incident since 2020.
[bleepingcomputer.com]
The company released a statement last week disclosing that an “unauthorized external party” managed to obtain “contact information relating to consumers who had contacted our customer service help desk in the past.”
Adidas says the data “does not contain passwords, credit card or any other payment-related information.” It has “launched a comprehensive investigation, collaborating with leading information security experts” and is “in the process of informing potentially affected consumers.”
The tumultuous year under the Trump administration continues for the Cybersecurity and Infrastructure Security Agency (CISA), as many senior officials across the agency have recently left, or will soon be leaving, according to a report by The Washington Post and cited by Cybersecurity Drive. These departures punctuate numerous setbacks the agency has faced since Trump took office, including being told to halt its election security efforts and almost lapsing the CVE program that some of the world’s biggest companies rely on to track cybersecurity vulnerabilities.
“It feels like the wrong people are leaving,” said a second CISA employee, who insisted on anonymity to speak freely. “All of these departures make it feel like people are leaving the mission and creating a vacuum.”
[washingtonpost.com]
On Monday, a report from 404Media found that a hacker obtained direct messages and CBP contact information from TeleMessage after Mike Waltz was spotted using the company’s modified version of Signal.
Customs and Border Protection spokesperson Rhonda Lawson told Wired that the agency “immediately disabled” TeleMessage in response to the attack and that its “investigation into the scope of the breach is ongoing.”
Donald Trump announced Thursday that he would remove Michael Waltz as National Security Advisor and appoint him as ambassador to the United Nations. CBS reported earlier that Trump did not want to explicitly fire Waltz, the person who accidentally added The Atlantic’s Jeffrey Goldberg to the group chat, but waited several weeks before he could spin the demotion as part of a reorganization strategy at the National Security Council.
The increase in AI tools, deepfake technology, and fully remote jobs following the covid pandemic has enabled a new kind of scam: workers who take jobs with US and European companies under false identities and send their salaries to the North Korean government.
The US government estimates that teams of pretenders can earn up to $3 million each year, and workers can go undetected at companies for many months.
Dutch right-wing activist Eva Vlaardingerbroek reported receiving a message from Apple, saying the company “detected a targeted mercenary spyware attack against your iPhone.” The message adds, “This attack is likely targeting you specifically because of who you are or what you do.”
Italian journalist Ciro Pellegrino reported receiving a similar message that indicated Apple had sent warnings to victims in 100 countries, as reported by TechCrunch. Apple last warned users about a spyware attack in July 2024.
Trump’s interview with The Atlantic editor in chief Jeffrey Goldberg (on purpose, this time) is now out. If you choose to use Signal, we have some advice on how, but here’s the president’s take:
Goldberg: But is there any policy lesson from that, that you’ve derived and have talked to Pete Hegseth about, and Mike Waltz?
Trump: I think we learned: Maybe don’t use Signal, okay? If you want to know the truth. I would frankly tell these people not to use Signal, although it’s been used by a lot of people. But, whatever it is, whoever has it, whoever owns it, I wouldn’t want to use it.
After posting to its blog for the first time in 8 years on Friday, 4chan published a new post explaining what took the site down on April 14th, as Engadget spotted. The social media site blames hackers uploading a “bogus PDF” that “exploited an out-of-date software package on one of 4chan’s servers.”
It’s back, but not all the way — as of this writing, images and the ability to post still haven’t returned.
[blog.4chan.org]
