Your menstrual cycle tracker is (most likely) spying on you


san hours Francisco Police Department Drone video footage has been revealed On the Open Web demonstrates a new era of incredibly precise and invasive urban surveillance. Meanwhile, the San Francisco City Attorney’s Office sent cease-and-desist letters to Apple and Google this week demanding they rescind the ban. Tech giants delete 13 ‘face swap’ AI apps From their app stores which are almost exclusively used to target women and girls.

Since wired Reported for the first time In June regarding Meta’s NameTag facial recognition system, company executives made vague and conflicting comments about whether or not the feature exists. We have taken a step back Lay out both the allegations and the facts About the very real system.

In a speech on Thursday, President Donald Trump kept up the pressure The allegations are baseless and completely debunked On interference in the 2020 US elections. He even promised to reveal massive information in a trove of documents posted on the White House website, but the files did not substantiate his assertions – and in some cases actually contradicted Trump’s claims.

With the rapid expansion of adoption of AI tools and increasing their capabilities, it has become a technology giant Anthropic has continued its efforts to get US states to regulate artificial intelligence. Speaking about AI transparency requirements in California and New York as of last year, Cesar Fernandez, head of US state and local government relations at Anthropic, told WIRED this week: “The 2025 transparency-focused safety bills were a really important start, but as the capabilities of AI systems continue to advance rapidly, policy responses need to match.”

And there’s more. Every week we round up security and privacy news that we haven’t covered in depth ourselves. Click on the titles to read the full stories. And stay safe out there.

The astrology-themed menstrual cycle tracking software Stardust sends users’ reproductive health details — birth control type, pregnancy status, moods, and specific symptoms like breast tenderness and stomach cramps — to a data company not mentioned in its privacy policy. According to the BBCwhich first reported on the Mozilla Foundation’s audit of six popular trackers produced in partnership with Harvard’s Berkman Klein Center.

Stardust rated 2 out of 10The worst of the group. Mozilla researcher Shoshanna Wodinski found that the app beeps to third-party trackers from the moment it is opened, before the user enters anything; The moment you logged a symptom, the details went to analytics company RudderStack along with your persistent user ID, with no in-app way to stop sharing. RudderStack was designed to route data to destinations that Mozilla could not monitor. Stardust also provides Facebook with an advertising identifier that links in-app behavior to profiles on the platform. Company TechCrunch said It has never received a legal request for user data.

Euki, a non-profit tracking organization, received a perfect score of 10: No account is required, health data never leaves the phone, and users can set a PIN, schedule automatic deletion, or pull up a fake screen if someone forcefully unlocks the phone. Its only weak point is an in-app browser for educational pages that loads the usual web trackers, but also resets identifiers between visits.

Russia’s FSB has long had a reputation for highly sophisticated cyber espionage, leaving subversive cyber attacks to fellow hackers at the country’s GRU military intelligence agency. But sanctions imposed this week by the European Union and the United Kingdom, along with a warning from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency, pinned a cyberattack against Poland’s electrical grid at the FSB’s No. 16, a rare example of a Kremlin agency carrying out a cyberattack that nearly knocked out the country’s electricity and water utilities. The attack, which the Polish government said was “very close” to causing a power outage, was initially attributed by cybersecurity firms Dragos and ESET to… Sand wormalso known as Unit 74455 of the GRU, is the usual suspect in infrastructure hacking due to its active role in Russia’s long-running cyberwar against Ukraine. But the Polish Computer Emergency Response Team at the time disputed this finding and linked the attack to the Federal Security Service, a conclusion that now has broad consensus among Western governments. The incident suggests that the FSB may be dealing with some very reckless and aggressive tendencies – and targeting – of its colleagues in the Main Intelligence Directorate.

For years, Russian cybersecurity company Kaspersky has been alleged to have ties to the Russian government, including by US officials who banned the use of the company’s products within the US government and eventually by all US customers. However, public evidence of these links has been scarce. Now Reuters is reporting that Denis Opryzhko, a Russian man facing hacking charges in Boston and an alleged member of a hacking group known as Void Blizzard or Laundry Bear, spent two years working for Kaspersky. His stint at the company occurred before he joined another cybersecurity firm, Yutek-NN, where he allegedly participated in the group’s hacking campaign that stole data and communications from several NATO governments and at least 11 U.S. companies, according to U.S. prosecutors. Before joining Kaspersky, Obrevko allegedly also worked for the Federal Security Service (FSB), and neatly ended his time at the company with apparent work for Russian intelligence services.

Obrevko has pleaded not guilty to the hacking charges. Kaspersky responded in a statement to Reuters that “the crimes charged cannot be related to the individual’s role or responsibilities while working for Kaspersky.”

In an incident that would alarm anyone responsible for evaluating suspicious network activity, DHS officials twice ruled that signs of a hacker’s intrusion into a Homeland Security Information Network data-sharing platform were false positives when they were, in fact, signs of a very real intrusion. The HSIN, used to share unclassified data between state, local and federal agencies, as well as foreign partners, was compromised by hackers two months ago, according to a report from Nextgov/FCW. Analysts at FEMA spotted signs of hacker activity in mid-May — changing files and code, hijacking a legitimate web server, and deleting records of their behavior — but the results were dismissed as false positives.

In the weeks that followed, the hackers returned, were discovered again, and were once again dismissed as a mirage. It’s not clear why signs of compromise were misjudged, but these incidents may represent the growing challenges federal analysts face in detecting “living off the ground” hacking techniques that use legitimate features of networks to gain access to targeted assets on a network rather than planting more easily detectable malware. While HSIN only contains unclassified data, the information is “highly sensitive,” Senate Intelligence Committee Vice Chairman Mark Warner said in a statement following the hack report, and “disclosing it puts national security at risk.”

AI music startup Suno collected millions of songs, lyrics and podcasts from YouTube Music, Deezer, Genius and a series of audio libraries to train its models, according to 404 Media, which reviewed internal data provided by one of the hackers who breached the company. The intrusion also exposed account information for hundreds of thousands of customers, including emails, phone numbers, and Stripe payment histories.

Dataset notes in the source code apparently from 2023 and 2024 indicate 113,879 hours of audio music on YouTube Music alone, plus tens of thousands from Pond5, Deezer, and other libraries – decades of music in all. Other filings show Suno directing YouTube data mining through Bright Data proxies and using PodcastIndex to target nearly 1 million hours of podcasts. The hacker, who goes by the name ellie.191, says they broke into the site by hacking an employee using the Shai-Hulud virus.

The files appear to support the recording industry’s central claim that Suno pulled songs directly from YouTube. The company, which says its practice qualifies as fair use and settled with Warner Music Group last November, said the breach involved outdated code and no sensitive personal information — though customers whose data appeared in a sample shared with 404 Media said they were never notified.

Leave a Reply

Your email address will not be published. Required fields are marked *