Google emails 13-year-olds directly: "You can remove parental controls yourself."
No parental consent.
These kids grew up in Google's ecosystem: Gmail, Classroom, YouTube. At their most vulnerable, Google tells them to remove the last barrier to data access.
US law: protections vanish at 13. Europe: GDPR sets it at 16. Control matters. European email exists: no tracking, GDPR/NIS2 compliance built in.
🚨BREAKING: Popular app launcher decides to spice things up by becoming a data miner's paradise! Now you can enjoy personalized ads from your favorite corporate overlords right on your home screen. 👏 Because who needs privacy when you can have targeted ads, right? 😂
https://lemdro.id/post/lemdro.id/35049920 #dataprivacy #appnews #targetedads #corporateoverlords #datamining #HackerNews #ngated
A weekly digest: ScienceDaily Tylenol autism review leads Jan. 19; Guardian tracks AI policy; UC Berkeley maps where AI truly helps society.
https://www.aistory.news/ai-in-society/sciencedaily-tylenol-autism-lead-uc-berkeley-ai-map/
It's been a pretty packed 24 hours in the cyber world, with several significant breaches, some interesting new threat research, a push to finally kill off an old protocol, and a look at the privacy implications of AI in healthcare. Let's dive in:
Recent Cyber attacks and Breaches 🚨
- Higham Lane School in Nuneaton, UK, was forced to close after a "serious cyberattack" crippled core IT systems, including physical safety mechanisms like electronic gates and fire alarms. While the school is reopening, staff still have "very limited" IT access, highlighting the significant operational impact beyond just data theft.
- The distributor Ingram Micro confirmed a July 2025 ransomware attack by SafePay exposed personal data of over 42,500 employees and job applicants. This included sensitive details like names, contact information, dates of birth, identity document numbers (passports, SSNs), and employment evaluations.
- Several Iranian state television channels were briefly taken over via satellite, broadcasting protest footage and messages from an exiled opposition figure, urging continued demonstrations amid economic unrest. The unauthorised broadcast lasted around 10 minutes.
- Jordanian national Feras Khalil Ahmad Albashiti, an Initial Access Broker (IAB) operating as "r1z", pleaded guilty to facilitating cyberattacks on at least 50 US companies. He unwittingly sold network access and EDR-disabling malware to an undercover FBI agent, revealing his IP and linking him to a $50 million ransomware attack.
- A US Navy sailor was sentenced to 16 years and eight months for selling technical manuals and operational information to a Chinese intelligence official. Separately, Nicholas Moore pleaded guilty to illegally accessing the US Supreme Court's electronic document filing system for 25 days in 2023.
- Interpol recently apprehended 34 individuals in Spain linked to the Nigeria-based crime syndicate Black Axe, known for cyber-enabled fraud, drug/human trafficking, and armed robbery. This follows previous busts in 2022 and 2023, underscoring the persistent nature of this large criminal organisation.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/18/infosec_news_in_brief/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/higham_lane_school_reopens/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/ingram_micro_ransomware_affects/
🗞️ The Record | https://therecord.media/iran-state-television-reported-hack-opposition
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/iab_sentencing/
New Threat Research 🔬
- Cybersecurity researchers exploited a cross-site scripting (XSS) vulnerability in the web-based control panel of the StealC information stealer. This allowed them to gather insights into threat actor operations, including system fingerprints, active sessions, and even steal cookies from the cookie stealer's own infrastructure.
- One StealC customer, dubbed YouTubeTA, was identified as a lone-wolf actor operating from an Eastern European country. Their real IP address was exposed when they forgot to use a VPN while connecting to the StealC panel, highlighting a significant operational security failure.
- A new "CrashFix" campaign uses a malicious Chrome extension ("NexShield") that masquerades as an ad blocker. It deliberately crashes the browser and then presents fake security warnings, tricking victims into running arbitrary commands to deploy ModeloRAT, a Python-based Windows RAT, primarily targeting domain-joined corporate environments.
📰 The Hacker News | https://thehackernews.com/2026/01/security-bug-in-stealc-malware-panel.html
📰 The Hacker News | https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers-modelorat-using-clickfix-style-browser-crash-lures.html
Vulnerabilities 🛡️
- Mandiant has released rainbow tables and tools that can crack credentials using Microsoft's legacy Net-NTLMv1 authentication protocol in under 12 hours with consumer-grade hardware. The goal is to highlight the protocol's long-known weakness and accelerate its deprecation, urging organisations to disable Net-NTLMv1 immediately.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/18/infosec_news_in_brief/
Threat Landscape Commentary 🌍
- The UK's NCSC is warning critical services operators, especially local authorities and CNI, not to underestimate pro-Russia hacktivists like NoName057(16). While often technically simple denial-of-service (DoS) attacks, their impact can be significant, causing disruption and financial costs. NCSC recommends DDoS mitigation services and CDNs.
- A honeynet sensor deployed by the University of Dhaka, Bangladesh, attracted over 63,000 attacks from 4,262 unique IP addresses within 12 days of going online, with the first attack occurring in under an hour. Many attacks relied on default or common credentials, underscoring the prevalence of opportunistic scanning and basic attack methods.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/dont_underestimate_prorussia_hacktivists_warns/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/asia_tech_news_roundup/
Data Privacy 🔒
- OpenAI's new ChatGPT Health, designed for secure health inquiries, is raising significant security and safety concerns. While it promises "layered protections," the ability for users to connect medical records and share with third parties means data control can be lost, and end-to-end encryption is not explicitly confirmed.
- The product's launch in the US, but not in the EEA, Switzerland, or the UK (due to stricter GDPR regulations), highlights potential gaps in consumer protection. Experts advise extreme caution before entrusting personal health information to any third-party AI product.
- Australia's eSafety Commissioner announced that 10 tech companies removed access to 4.7 million accounts belonging to users under 16, following the nation's ban on social media for this age group. This aims to reset cultural norms and reduce harm, despite some users finding ways around restrictions.
🕶️ Dark Reading | https://www.darkreading.com/remote-workforce/chatgpt-health-security-safety-concerns
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/asia_tech_news_roundup/
Regulatory Issues 🏛️
- US lawmakers are pushing a bill to restrict the use of ICE's Mobile Fortify app, which identifies suspects and protestors, to only ports of entry. Democrats argue its current widespread use enables civil liberties violations, and the bill would also prohibit sharing the app outside DHS and require deletion of US citizens' captured biometric data.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/18/infosec_news_in_brief/
Everything Else 🌐
- Microsoft is actively hiring Senior Energy Program Managers and engineers in Australia and Singapore to strategise and execute energy plans for its expanding, power-hungry datacenters across the APAC region, particularly for AI applications.
- Vietnamese telco Viettel has broken ground on the nation's first chipmaking plant, aiming to offer 32-nanometer foundry services by 2027 for industries like aerospace, telecoms, and IoT, marking a strategic step for Vietnam's semiconductor industry.
- Indian threat intelligence firm CloudSEK secured a strategic investment from Connecticut Innovations, marking the first time a US state's investment arm has funded an Indian infosec company. CloudSEK is known for its strong analysis and threat discoveries.
- ASUS has received US FDA approval to sell its ultrasound devices in America, paving the way for expansion into key regions with growing demand for smart and remote healthcare, including Southeast Asia and South America.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/19/asia_tech_news_roundup/
#CyberSecurity #ThreatIntelligence #Ransomware #Malware #InfoSec #CyberAttack #DataPrivacy #AI #Vulnerability #Hacktivism #IncidentResponse #OpSec #ThreatResearch
We need to talk about this.
#DigitalSovereignty #OpenSource #EU #Germany #Bavaria #GDPR #CloudAct #EuropeanUnion #FreeSoftware #DataPrivacy
January is Data Privacy Awareness Month!!
Protecting sensitive business and client information starts with strong policies, secure systems, and employee awareness.
#DataPrivacy #CyberAwareness #SimplifiedITConsulting #YourITSimplified
Sherpa Intelligence paid attention to the #InfoSec & #DataPrivacy news from over the weekend so you wouldn't have to!
Read "Information Security & Data Privacy Weekend News Roundup: January 16-18, 2026"
https://sherpaintelligence.substack.com/p/information-security-and-data-privacy-681
Đã chán lãng phí giờ và tiền cho danh sách khách hàng chết? Tôi đã tự xây dựng Cleanmails – công cụ tự host kiểm tra email 8 bước, lọc danh sách, trích xuất, phân tích spam, bảo vệ dữ liệu và không phí thuê bao. Giải pháp cho đội sales muốn giảm bounce và giữ bảo mật. #Sales #Marketing #DataPrivacy #EmailValidation #BánHàng #TiếpThị #BảoMậtDữLiệu #KiểmTraEmail
https://www.reddit.com/r/SaaS/comments/1qgx2az/i_used_to_waste_hours_and_commissions_on_bad/
**Post:**
Nhiều tài xế tại Little Rock (Arkansas, Mỹ) không nhận thức đầy đủ khả năng thu thập dữ liệu của hệ thống camera giao thông phủ khắp thành phố. Các camera này có khả năng đọc biển số xe, làm dấy lên lo ngại nghiêm trọng về quyền riêng tư và sự minh bạch trong việc sử dụng dữ liệu cá nhân.
#AnToanGiaoThong #BaoMatDuLieu #QuyenRiengTu #CameraGiaoThong
#TrafficSafety #DataPrivacy #Surveillance #TrafficCameras
#SmartCities #LicensePlateRecognition #Arkansas #PrivacyConcerns
#Tha
In the PH, BYD is the top EV. This is concerning.
BYD, a Chinese company, can listen to conversations in the car.
The car's internal SIM could be dialled by an external party, allowing audio from inside the vehicle to be transmitted to the caller without the driver's knowledge.
#Tech #EV #Spying #Asian #CyberSecurity #SIM #DataPrivacy #Surveillance #Car #Motoring #Vehicle #Australia #AsiaPacific #TootSEA
Switzerland quietly building a big-tech AI alternative: Euria 🇨🇭🤖
Key features:
• Doesn't train on your data
• Doesn't profile you
• Runs on 100% renewable energy
• Server heat recycled to warm over 6,000 homes in Geneva
This is what ethical, sustainable AI looks like—privacy protection combined with environmental responsibility. A model showing that AI development doesn't have to mean surveillance capital.
#AI #Switzerland #Privacy #Sustainability #EthicalAI #GreenTech #DataPrivacy #CleanEnergy
It feels like ebooks are a privacy nightmare, generally speaking. Am I doing this wrong? It seems like most platforms require a user to have an account and login in to their website or download/login to their app to read books - and collect a whole bunch of data along the way.
I do love hardcopy books, but I just have too many of them and find it hard to part with them - hence wanting to go to ebooks predominantly.
📝 Ah, the classic "Statement by a bunch of European countries" that boils down to cookie consent #jargon. 🤓🍪 They've mastered the art of saying everything and nothing at the same time, all while pretending to care about your data privacy as they track you with #Matomo. 🌍🔍
https://www.bundesregierung.de/breg-de/aktuelles/statement-by-denmark-finland-france-germany-the-netherlands-norway-sweden-and-the-united-kingdom-2403016 #cookieconsent #dataprivacy #Europe #tracking #HackerNews #ngated
There’s something that I would like everyone to reckon with as folks rally against “AI”:
The internet was built on theft, and it was enabled by users. The stealing of intellectual property and data didn’t start with LLMs, it’s just the first time that many people are directly interfacing with the results of those thefts.
The data used to look up pictures of your dog in Google Photos and the data used to generate a picture of a dog with “AI” is the SAME data.
This week’s cybersecurity news spans broken enterprise updates, exposed access brokers, record ransomware activity, and healthcare disruptions.
A reminder of how digital fragility creates real-world impact.
What stood out to you?
Heads up, iPhone and Android users! The feds have issued a new alert about potential risks and are advising us to delete sensitive messages ASAP. Stay safe online, everyone! #CyberSecurity #DataPrivacy #OnlineSafety #iPhone #Android
https://www.squaredtech.co/delete-sensitive-messages-alert-iphone-android?fsp_sid=5846
Be Careful Returning or Selling Your Laptop!
#New #TechNews #DataPrivacy #Privacy #Security #LaptopSales #returns
Daily podcast: Be Careful Returning or Selling Your Laptop!
#New #TechNews #DataPrivacy #Privacy #Security #LaptopSales #returns #podcast
It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, a couple of actively exploited vulnerabilities, new malware evasion techniques, and a reminder about the ever-evolving privacy landscape. Let's take a look:
Anchorage Police & Canadian Investment Regulator Breaches 🚨
- The Anchorage Police Department took servers offline and disabled third-party access after a cyberattack on their data migration provider, Whitebox Technologies. While no evidence of APD system compromise or data acquisition exists, the incident highlights third-party risk.
- Canada's Investment Regulatory Organization (CIRO) confirmed a sophisticated phishing attack last August impacted approximately 750,000 investors. Compromised data includes dates of birth, SINs, government IDs, and investment account numbers, though no evidence of misuse has been found.
- These incidents underscore the critical importance of supply chain security and robust incident response, especially for organisations handling sensitive public or financial data.
🗞️ The Record | https://therecord.media/anchorage-police-takes-servers-offline-after-third-party-attack
🗞️ The Record | https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach
China-Linked APTs Target Critical Infrastructure & US Policy 🇨🇳
- Cisco Talos identified "UAT-8837," a China-backed APT, targeting North American critical infrastructure using compromised credentials and exploiting vulnerabilities like CVE-2025-53690 in SiteCore products, suggesting access to zero-day exploits.
- Another China-linked group, Mustang Panda (aka UNC6384, Twill Typhoon), used Venezuela-themed spear phishing lures to target US government agencies and policy organisations, deploying a new DLL-based backdoor called Lotuslite for espionage.
- Meanwhile, the GootLoader malware has evolved its evasion tactics, using malformed ZIP archives with 500-1,000 concatenated archives and truncated EOCD records to bypass security tools, while remaining readable by Windows' default unarchiver.
🗞️ The Record | https://therecord.media/china-hackers-apt-cisco-talos
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/15/chinese_spies_used_maduros_capture/
📰 The Hacker News | https://thehackernews.com/2026/01/lotuslite-backdoor-targets-us-policy.html
📰 The Hacker News | https://thehackernews.com/2026/01/gootloader-malware-uses-5001000.html
Black Basta Ring Leader Hunted 💰
- German and Ukrainian authorities have identified two Ukrainians as "hash crackers" for the Russia-linked Black Basta ransomware group and placed the alleged ringleader, Oleg Evgenievich Nefekov (aka 'tramp', 'Washingt0n'), on an international most-wanted list.
- Nefekov, 35, is accused of founding and leading Black Basta, responsible for extorting over $100 million from approximately 700 organisations worldwide since 2022.
- This coordinated law enforcement action highlights ongoing efforts to dismantle ransomware operations and hold key individuals accountable, with seized digital assets and cryptocurrency indicating active investigations.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/black_basta_boss_wanted/
🗞️ The Record | https://therecord.media/police-raid-homes-of-alleged-black-basta-hackers
Critical Vulnerabilities Under Active Exploitation ⚠️
- Cisco has finally patched CVE-2025-20393, a maximum-severity RCE zero-day in AsyncOS for Secure Email Gateway and Secure Email and Web Manager, which was actively exploited by China-linked APT UAT-9686 since late November 2025.
- A critical RCE flaw (CVE-2025-37164) in HPE OneView, a data centre management platform, is now being exploited at scale by the RondoDox botnet, with over 40,000 automated attack attempts observed globally, primarily targeting government, financial, and industrial sectors.
- AMD CPUs are vulnerable to "StackWarp" (CVE-2025-29943), a low-severity flaw in SEV-SNP secure virtualisation, allowing malicious hypervisors to access VM secrets, recover private keys, and escalate privileges by manipulating the stack pointer when SMT is enabled. Patches are available.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/15/cisco_fixes_cve_2025_20393/
📰 The Hacker News | https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/
More Vulnerabilities and IoT Risks 🔒
- CISA's own "Software Acquisition Guide: Supplier Response Web Tool" was found to have a simple cross-site scripting (XSS) vulnerability, highlighting that even tools promoting secure development can have basic flaws.
- A bankrupt Estonian e-scooter startup, Äike, left all its devices vulnerable by shipping them with a single, default private key, allowing any scooter within Bluetooth range to be unlocked by reverse-engineering the Android app.
- These incidents serve as a stark reminder that fundamental security practices, from input validation to proper key management, remain crucial across all software and IoT deployments.
🤫 CyberScoop | https://cyberscoop.com/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/
AI for Defence & Initial Access Brokers 🛡️
- The Pacific Northwest National Laboratory (PNNL) has developed ALOHA, an AI-based system using Agentic LLMs to significantly reduce attack reconstruction time from weeks to hours, aiding purple teams in quickly testing defences against new threats.
- A Jordanian initial access broker (IAB) operating as "r1z" pleaded guilty to selling access to 50 company networks and powerful EDR-killing malware for $15,000, demonstrating the sophistication and value of IABs in the cybercrime ecosystem.
- These developments highlight both the accelerating pace of cyber defence through AI and the persistent, foundational role of IABs in enabling broader cyberattacks, including ransomware.
🌑 Dark Reading | https://www.darkreading.com/cybersecurity-operations/ai-system-attack-reconstruction-weeks-hours
🗞️ The Record | https://therecord.media/jordanian-initial-access-broker-pleads-guilty-to-helping-target-50-companies
Carlsberg Experience Exposes Visitor Data 🍻
- The Carlsberg exhibition in Copenhagen had a vulnerability where visitor names, images, and videos, accessed via wristband IDs, could be easily brute-forced due to predictable ID formats and a lack of effective rate limiting.
- Pen Test Partners researcher Ken Munro discovered the flaw, which exposed personal data of thousands of visitors monthly, raising GDPR concerns.
- The incident also highlighted challenges in responsible disclosure, with Carlsberg's slow response and ineffective patching attempts.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/16/carlsberg_experience_vulnerability/
CISOs Ascend to Executive Suite 📈
- A new report indicates that CISO titles are increasingly becoming executive-level positions, surpassing VP or director roles, especially in large publicly traded companies.
- This shift is driven by the growing digital dependency of businesses, the rising tide of cyberattacks, and increasing regulatory pressures, such as those from the SEC and updated Gramm-Leach-Bliley Act, which mandate accountability for cybersecurity.
- While the executive title offers a seat at the strategic table and can help with security prioritisation, concerns about CISO burnout persist, particularly in smaller organisations with fewer resources and broader responsibilities.
🌑 Dark Reading | https://www.darkreading.com/cybersecurity-operations/cisos-rise-to-prominence-security-leaders-join-the-executive-suite
#CyberSecurity #ThreatIntelligence #APT #Ransomware #Malware #Vulnerability #ZeroDay #RCE #ActiveExploitation #SupplyChainSecurity #DataPrivacy #CISO #AI #IncidentResponse #InfoSec
