data privacy | Breaking Cybersecurity News | The Hacker News

A Chinese company named the Beijing Institute of Electronics Technology and Application (BIETA) has been assessed to be likely led by the Ministry of State Security (MSS). The assessment comes from evidence that at least four BIETA personnel have clear or possible links to MSS officers and their relationship with the University of International Relations, which is known to share links with the MSS, according to Recorded Future. The names of the four individuals include Wu Shizhong, He Dequan, You Xingang, and Zhou Linna. "BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China's national development and security," the company said in a report shared with The Hacker News. "Their activities include researching methods of steganography that can likely support covert communications (COVCOM) a...

From unpatched cars to hijacked clouds, this week's Threatsday headlines remind us of one thing — no corner of technology is safe. Attackers are scanning firewalls for critical flaws, bending vulnerable SQL servers into powerful command centers, and even finding ways to poison Chrome's settings to sneak in malicious extensions. On the defense side, AI is stepping up to block ransomware in real time, but privacy fights over data access and surveillance are heating up just as fast. It's a week that shows how wide the battlefield has become — from the apps on our phones to the cars we drive. Don't keep this knowledge to yourself: share this bulletin to protect others, and add The Hacker News to your Google News list so you never miss the updates that could make the difference. Claude Now Finds Your Bugs Anthropic Touts Safety Protections Built Into Claude Sonnet 4.6 Anthropic said it has rolled out a number of safety and security improve...

Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google's Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. "They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud Assist; and exfiltration of the user's saved information and location data via the Gemini Browsing Tool," Tenable security researcher Liv Matan said in a report shared with The Hacker News. The vulnerabilities have been collectively codenamed the Gemini Trifecta by the cybersecurity company. They reside in three distinct components of the Gemini suite - A prompt injection flaw in Gemini Cloud Assist that could allow attackers to exploit cloud-based services and compromise cloud resources by taking advantage of the fact that the tool is capable of summarizing logs pulled dir...

Security leaders are embracing AI for triage, detection engineering, and threat hunting as alert volumes and burnout hit breaking points. A comprehensive survey of 282 security leaders at companies across industries reveals a stark reality facing modern Security Operations Centers: alert volumes have reached unsustainable levels, forcing teams to leave critical threats uninvestigated. You can download the full report here . The research, conducted primarily among US-based organizations, shows that AI adoption in security operations has shifted from experimental to essential as teams struggle to keep pace with an ever-growing stream of security alerts. The findings paint a picture of an industry at a tipping point, where traditional SOC models are buckling under operational pressure and AI-powered solutions are emerging as the primary path forward. Alert Volume Reaches Breaking Point Security teams are drowning in alerts, with organizations processing an average of 960 alerts per ...

Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. The critical-rated vulnerabilities in question, discovered by Trend Micro, are listed below - CVE-2025-10643 (CVSS score: 9.1) - An authentication bypass vulnerability that exists within the permissions granted to a storage account token CVE-2025-10644 (CVSS score: 9.4) - An authentication bypass vulnerability that exists within the permissions granted to an SAS token Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. Trend Micro researchers Alfredo Oliveira and David Fiser said the AI-powered data repair and photo editing application "contradicted its privacy policy by...

The U.S. Department of Justice (DoJ) on Tuesday resentenced the former administrator of BreachForums to three years in prison in connection with his role in running the cybercrime forum and possessing child sexual abuse material (CSAM). Conor Brian Fitzpatrick (aka Pompompurin), 22, of Peekskill, New York, pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material. Fitzpatrick was initially arrested in March 2023 and pleaded guilty later that July. As part of the plea agreement, Fitzpatrick is also said to have agreed to forfeit over 100 domain names used in the operation of BreachForums, over a dozen electronic devices used to execute the scheme, and cryptocurrency that represented the illicit proceeds of the operation. "Conor Fitzpatrick personally profited from the sale of vast quantities of stolen information, ranging from private personal information to commercial data,...

Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content. To that end, support for C2PA's Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency. C2PA's Content Credentials are a tamper-evident, cryptographically signed digital manifest providing verifiable provenance for digital content such as images, videos, or audio files. The metadata type, according to Adobe , serves as a "digital nutrition label," giving information about the creator, how it was made, and if it was generated using artificial intelligence (AI). "The Pixel Camera app achieved Assurance Level 2, the highest security rating currently defined by the C2PA Conformance Program," Google's Android Security and C2PA Core teams said ....

The French data protection authority has fined Google and Chinese e-commerce giant Shein $379 million (€325 million) and $175 million (€150 million), respectively, for violating cookie rules. Both companies set advertising cookies on users' browsers without securing their consent, the National Commission on Informatics and Liberty (CNIL) said. Shein has since updated its systems to comply with the regulation. Reuters reported that the retailer plans to appeal the decision. "When creating a Google account, users were encouraged to choose cookies linked to the display of personalized advertisements, to the detriment of those linked to the display of generic advertisements and that users were not clearly informed that the deposit of cookies for advertising purposes was a condition to be able to access Google's services," the CNIL noted . The consent obtained in this manner is not valid and constitutes a violation of the French Data Protection Act (Article 82), it...

The Harsh Truths of AI Adoption MITs State of AI in Business report revealed that while 40% of organizations have purchased enterprise LLM subscriptions, over 90% of employees are actively using AI tools in their daily work. Similarly, research from Harmonic Security found that 45.4% of sensitive AI interactions are coming from personal email accounts, where employees are bypassing corporate controls entirely. This has, understandably, led to plenty of concerns around a growing "Shadow AI Economy". But what does that mean and how can security and AI governance teams overcome these challenges? Contact Harmonic Security to learn more about Shadow AI discovery and enforcing your AI usage policy.  AI Usage Is Driven by Employees, Not Committees  Enterprises incorrectly view AI use as something that comes top-down, defined by their own visionary business leaders. We now know that's wrong. In most cases, employees are driving adoption from the bottom up, often without ov...

A team of academics has devised a novel attack that can be used to downgrade a 5G connection to a lower generation without relying on a rogue base station (gNB). The attack , per the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), relies on a new open-source software toolkit named Sni5Gect (short for "Sniffing 5G Inject") that's designed to sniff unencrypted messages sent between the base station and the user equipment (UE, i.e., a phone) and inject messages to the target UE over-the-air. The framework can be used to carry out attacks such as crashing the UE modem, downgrading to earlier generations of networks, fingerprinting, or authentication bypass, according to Shijie Luo, Matheus Garbelini, Sudipta Chattopadhyay, and Jianying Zhou. "As opposed to using a rogue base station, which limits the practicality of many 5G attacks, SNI5GECT acts as a third-party in the communication, silently sniffs me...

Google has announced plans to begin verifying the identity of all developers who distribute apps on Android, even for those who distribute their software outside the Play Store. "Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices," the company said . "This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down." To that end, the tech giant said it intends to start sending out invitations gradually starting October 2025, before opening it up to all developers in March 2026. The new requirements are expected to go into effect starting a year from now, in September 2026, in Brazil, Indonesia, Singapore, and Thailand. "At this point, any app installed on a certified Android device in these regions must be registered by a verified developer," Suzanne Frey, vice president of Product,...

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers, such as Perplexity's Comet , that promise to automate mundane tasks like shopping for items online or handling emails on behalf of users can be deceived into interacting with phishing landing pages or fraudulent lookalike storefronts without the human user's knowledge or intervention. "With PromptFix, the approach is different: We don't try to glitch the model into obedience," Guardio researchers Nati Tal and Shaked Chen said . "Instead, we mislead it using techniques borrowed from the human social engineering playbook – appealing directly to its core des...

The U.K. government has apparently abandoned its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens. U.S. Director of National Intelligence (DNI) Tulsi Gabbard, in a statement posted on X, said the U.S. government had been working with its partners with the U.K. over the past few months to ensure that Americans' civil liberties are protected.  "As a result, the U.K. has agreed to drop its mandate for Apple to provide a 'backdoor' that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties," Gabbard said . The development comes after Apple switched off its Advanced Data Protection (ADP) feature for iCloud in the U.K. earlier this February, following government demands for backdoor access to encrypted user data. "We are gravely disappointed that the protections provided by ADP will not be available t...

A recent analysis of enterprise data suggests that generative AI tools developed in China are being used extensively by employees in the US and UK, often without oversight or approval from security teams. The study, conducted by Harmonic Security, also identifies hundreds of instances in which sensitive data was uploaded to platforms hosted in China, raising concerns over compliance, data residency, and commercial confidentiality. Over a 30-day period, Harmonic examined the activity of a sample of 14,000 employees across a range of companies. Nearly 8 percent were found to have used China-based GenAI tools, including DeepSeek, Kimi Moonshot, Baidu Chat, Qwen (from Alibaba), and Manus. These applications, while powerful and easy to access, typically provide little information on how uploaded data is handled, stored, or reused. The findings underline a widening gap between AI adoption and governance, especially in developer-heavy organizations where time-to-output often trumps policy ...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...

Generative AI is not arriving with a bang, it's slowly creeping into the software that companies already use on a daily basis. Whether it is video conferencing or CRM, vendors are scrambling to integrate AI copilots and assistants into their SaaS applications. Slack can now provide AI summaries of chat threads, Zoom can provide meeting summaries, and office suites such as Microsoft 365 contain AI assistance in writing and analysis. This trend of AI usage implies that the majority of businesses are awakening to a new reality: AI capabilities have spread across their SaaS stack overnight, with no centralized control. A recent survey found 95% of U.S. companies are now using generative AI, up massively in just one year. Yet this unprecedented usage comes tempered by growing anxiety. Business leaders have begun to worry about where all this unseen AI activity might lead. Data security and privacy have quickly emerged as top concerns, with many fearing that sensitive information could le...

Taiwan's National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, Douyin, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China. The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency. "The results indicate the existence of security issues, including excessive data collection and privacy infringement," the NSB said . "The public is advised to exercise caution when choosing mobile apps." The agency said it evaluated the apps against 15 indicators spanning five broad categories: Personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access. According to the analysis, RedNote violated all 15 indicators, followed by W...