The FBI has issued a warning that cybercriminals have started using AI-generated voice deepfakes in phishing attacks impersonating senior U.S. officials. These attacks, involving smishing and vishing tactics, aim to compromise personal accounts and contacts for further social engineering and financial fraud. BleepingComputer reports: "Since April 2025, malicious actors have impersonated senior U.S. officials to target individuals, many of whom are current or former senior U.S. federal or state government officials and their contacts. If you receive a message claiming to be from a senior U.S. official, do not assume it is authentic," the FBI warned. "The malicious actors have sent text messages and AI-generated voice messages -- techniques known as smishing and vishing, respectively -- that claim to come from a senior U.S. official in an effort to establish rapport before gaining access to personal accounts." The attackers can gain access to the accounts of U.S. officials by sending malicious links disguised as links designed to move the discussion to another messaging platform. By compromising their accounts, the threat actors can gain access to other government officials' contact information. Next, they can use social engineering to impersonate the compromised U.S. officials to steal further sensitive information and trick targeted contacts into transferring funds. Today's PSA follows a March 2021 FBI Private Industry Notification (PIN) [PDF] warning that deepfakes (including AI-generated or manipulated audio, text, images, or video) would likely be widely employed in "cyber and foreign influence operations" after becoming increasingly sophisticated.

Read more of this story at Slashdot.

According to The Information (paywalled), Meta is reportedly developing facial recognition capabilities for its Ray-Ban smart glasses -- technology it previously avoided due to privacy concerns. 404 Media's Joseph Cox writes: The move is an obvious about-face from Meta. It's also interesting to me because Meta's PR chewed my ass off when I dared to report in October that a pair of students took Meta's Ray-Ban glasses and combined them with off-the-shelf facial recognition technology. That tool, which the students called I-XRAY, captured a person's face, ran it through an easy to access facial recognition service called Pimeyes, then went a step further and pulled up information about the subject from across the web, including their home address and phone number. When I contacted Meta for comment for that story, Dave Arnold, a spokesperson for the company, said in an email he had one question for me. "That Pimeyes facial recognition technology could be used with ANY camera, correct? In other words, this isn't something that only is possible because of Meta Ray-Bans? If so, I think that's an important point to note in the piece," he wrote. This is true. But entirely misses the point of why the students created the tool with Meta's Ray-Ban glasses. They said themselves in a demonstration video they identified dozens of people without their knowledge. You do that by wearing a pair of glasses that look like any other. Meta's Ray-Ban's do have a light that turns on when it's recording, but according to the new report, Meta is questioning whether new versions of its glasses need this.

Read more of this story at Slashdot.

TeleMessage, a communications app used by former Trump national security adviser Mike Waltz, has suspended services after a reported hack exposed some user messages. The breach follows controversy over Waltz's use of the app to coordinate military updates, including accidentally adding a journalist to a sensitive Signal group chat. From the report: In an email, Portland, Oregon-based Smarsh, which runs the TeleMessage app, said it was "investigating a potential security incident" and was suspending all its services "out of an abundance of caution." A Reuters photograph showed Waltz using TeleMessage, an unofficial version of the popular encrypted messaging app Signal, on his phone during a cabinet meeting on Wednesday. A separate report from 404 Media says hackers have also targeted GlobalX Air -- one of the main airlines the Trump administration is using as part of its deportation efforts -- and claim to have stolen flight records and passenger manifests for all its flights, including those for deportation. From the report: The data, which the hackers contacted 404 Media and other journalists about unprompted, could provide granular insight into who exactly has been deported on GlobalX flights, when, and to where, with GlobalX being the charter company that facilitated the deportation of hundreds of Venezuelans to El Salvador. "Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans," a defacement message posted to GlobalX's website reads. Anonymous, well-known for its use of the Guy Fawkes mask, is an umbrella some hackers operate under when performing what they see as hacktivism.

Read more of this story at Slashdot.

The Karnataka High Court on Tuesday directed India's government to block Switzerland-based email service Proton Mail, citing national security concerns and law enforcement challenges. Justice M Nagaprasanna ordered authorities to initiate proceedings under Section 69A of the Information Technology Act to ban the service, while mandating immediate blocking of "offending URLs" until final decisions are made. The ruling followed a petition from M Moser Design Associates India, which claimed its female employees were targeted with obscene emails containing "AI-generated deepfake images" sent via Proton Mail. Petitioners argued Proton Mail operates servers outside India, making it inaccessible to law enforcement. The court noted several bomb threats to Indian schools were sent using the service, which has already been banned in Russia and Saudi Arabia. Additional Solicitor General Aravind Kamath, representing the government, said authorities would comply with the court's direction.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Wired: Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers' exposure to government surveillance and the likelihood of being caught up in police investigations. A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of "connected cars," with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement's knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies -- not the law -- determine driver privacy. "Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera," one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. "If the vehicle has an active subscription," they add, "it does create more data." The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely. One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data -- revealing its location -- roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead. [...] Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car's systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Milwaukee Journal Sentinel: Milwaukee police are mulling a trade: 2.5 million mugshots for free use of facial recognition technology. Officials from the Milwaukee Police Department say swapping the photos with the software firm Biometrica will lead to quicker arrests and solving of crimes. But that benefit is unpersuasive for those who say the trade is startling, due to the concerns of the surveillance of city residents and possible federal agency access. "We recognize the very delicate balance between advancement in technology and ensuring we as a department do not violate the rights of all of those in this diverse community," Milwaukee Police Chief of Staff Heather Hough said during an April 17 meeting. For the first time, Milwaukee police officials detailed their plans to use the facial recognition technology during a meeting of the city's Fire and Police Commission, the oversight body for those departments. In the past, the department relied on facial recognition technology belonging to neighboring police agencies. In an April 24 email, Hough said the department has not entered into an agreement with any facial recognition and the department intends to continue engaging the public before doing so. The department will discuss it at a future meeting of the city's Public Safety and Health Committee next, she said. "While we would like to acquire the technology to assist in solving cases, being transparent with the community that we serve far outweighs the urgency to acquire," she said in an email. Officials said the technology alone could not be used as probable cause to arrest someone and the only authorized uses would be when there's basis to believe criminal activity has happened or could happen, or a threat to public safety is imminent. Hough said the department intended to craft a policy that would ensure no one is arrested solely based on facial recognition matches. That reassurance and others from police officials came as activists, residents and some public officials voiced concern.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Cybernews: Researchers at Cybernews have uncovered a major privacy breach involving WorkComposer, a workplace surveillance app used by over 200,000 people across countless companies. The app, designed to track productivity by logging activity and snapping regular screenshots of employees' screens, left over 21 million images exposed in an unsecured Amazon S3 bucket, broadcasting how workers go about their day frame by frame. The leaked data is extremely sensitive, as millions of screenshots from employees' devices could not only expose full-screen captures of emails, internal chats, and confidential business documents, but also contain login pages, credentials, API keys, and other sensitive information that could be exploited to attack businesses worldwide. After the company was contacted, access to the unsecured database was secured. An official comment has yet to be received.

Read more of this story at Slashdot.

WhatsApp is rolling out a new "Advanced Chat Privacy" feature that blocks others from exporting chat histories or automatically downloading media. While it doesn't stop screenshots or manual downloads, it marks the first step in WhatsApp's plan to enhance in-chat privacy protections. The Verge reports: By default, WhatsApp saves photos and videos in a chat to your phone's local storage. It also lets you and your recipients export chats (with or without media) to your messages, email, or notes app. The Advanced Chat Privacy setting will prevent this in group and individual chats. [...] WhatsApp says this is its "first version" of the feature, and that it plans to add more protections down the line. "We think this feature is best used when talking with groups where you may not know everyone closely but are nevertheless sensitive in nature," WhatsApp says in its announcement. WABetaInfo first spotted this feature earlier this month, and now it's rolling out to the latest version of the app. You can turn on the setting by tapping the name of your chat and selecting Advanced Chat Privacy.

Read more of this story at Slashdot.

An anonymous reader quotes a report from 404 Media: A judge in Nevada has ruled that "tower dumps" -- the law enforcement practice of grabbing vast troves of private personal data from cell towers -- is unconstitutional. The judge also ruled that the cops could, this one time, still use the evidence they obtained through this unconstitutional search. Cell towers record the location of phones near them about every seven seconds. When the cops request a tower dump, they ask a telecom for the numbers and personal information of every single phone connected to a tower during a set time period. Depending on the area, these tower dumps can return tens of thousands of numbers. Cops have been able to sift through this data to solve crimes. But tower dumps are also a massive privacy violation that flies in the face of the Fourth Amendment, which protects people from unlawful search and seizure. When the cops get a tower dump they're not just searching and seizing the data of a suspected criminal, they're sifting through the information of everyone who was in the location. The ruling stems from a court case involving Cory Spurlock, a Nevada man charged with drug offenses and a murder-for-hire plot. He was implicated through a cellphone tower dump that law enforcement used to place his device near the scenes of the alleged crimes. A federal judge ruled that the tower dump constituted an unconstitutional general search under the Fourth Amendment but declined to suppress the evidence, citing officers' good faith in obtaining a warrant. It marks the first time a court in the Ninth Circuit has ruled on the constitutionality of tower dumps, which in Spurlock's case captured location data from over 1,600 users -- many of whom had no way to opt out.

Read more of this story at Slashdot.

An anonymous reader shares a report: Members of the European Parliament were offered special pouches to protect digital devices from espionage and tampering for a visit to Hungary this week, a sign of rising spying fears within Europe. Five lawmakers from the Parliament's civil liberties committee traveled to Hungary on Monday for a three-day visit to inspect the EU member country's progress on democracy, the rule of law and fundamental rights. One lawmaker on the trip confirmed to POLITICO that the Parliament officials joining the delegation were offered Faraday bags -- special metal-lined pouches that block electromagnetic signals -- by the Parliament's services and were also advised to be cautious about using public Wi-Fi networks or charging facilities.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: There's a somewhat concerning new trend going viral: People are using ChatGPT to figure out the location shown in pictures. This week, OpenAI released its newest AI models, o3 and o4-mini, both of which can uniquely "reason" through uploaded images. In practice, the models can crop, rotate, and zoom in on photos -- even blurry and distorted ones -- to thoroughly analyze them. These image-analyzing capabilities, paired with the models' ability to search the web, make for a potent location-finding tool. Users on X quickly discovered that o3, in particular, is quite good at deducing cities, landmarks, and even restaurants and bars from subtle visual clues. In many cases, the models don't appear to be drawing on "memories" of past ChatGPT conversations, or EXIF data, which is the metadata attached to photos that reveal details such as where the photo was taken. X is filled with examples of users giving ChatGPT restaurant menus, neighborhood snaps, facades, and self-portraits, and instructing o3 to imagine it's playing "GeoGuessr," an online game that challenges players to guess locations from Google Street View images. It's an obvious potential privacy issue. There's nothing preventing a bad actor from screenshotting, say, a person's Instagram Story and using ChatGPT to try to doxx them.

Read more of this story at Slashdot.

An anonymous reader quotes a report from 404 Media: As part of the company's months-long obsession with catching employees leaking internal developments to the press, staff at Wordpress parent company Automattic recently noticed individually-unique watermarks on internal sites, according to employees who spoke to 404 Media. Automattic added the watermarks to an internal employee communications platform called P2. P2 is a WordPress product other workplaces can also use. There are hundreds of P2 sites across teams at Automattic alone; many are team-specific, but some are company-wide for announcements. The watermarks in Automattic's P2 instance are nearly invisible, rendered as a pattern overlaid on the site's white page backgrounds. Zooming in or manually changing the background color reveals the pattern. If, for example, a journalist published a screenshot leaked to them that was taken from P2, Automattic could theoretically identify the employee who shared it. In October, as part of a series of buyout offers meant to test employee's loyalty to his leadership, Automattic CEO Matt Mullenweg issued a threat for anyone speaking to the press, saying they should "exit gracefully, or be fired tomorrow with no severance." Earlier this month, the company laid off nearly 300 people. [...] It's not clear when the watermarks started appearing on P2, and Automattic has not responded to a request for comment. But Mullenweg has been warring with web hosting platform WP Engine -- and as the story has developed, seemingly with his own staff -- since last year. [...] One Automattic employee told me they don't think anyone is shocked by the watermarking, considering Mullenweg's ongoing campaign to find leakers, but that it's still adding to the uncertain, demoralized environment at the company. "Can't help but feel even more paranoid now," they said.

Read more of this story at Slashdot.

An anonymous reader quotes a report from SecurityWeek: Insurance firm Lemonade is notifying roughly 190,000 individuals that their driver's license numbers were likely exposed due to a technical glitch. Copies of the notification letter that were submitted to regulators in several states show that the incident involved an online application that enables individuals to obtain car insurance quotes and purchase policies. According to the company, a vulnerability in the car insurance quote flow resulted in the exposure of certain driver's license numbers for identifiable individuals. The vulnerability has been addressed, Lemonade says. Between April 2023 and September 2024, the platform transmitted the information unencrypted, which the company says allowed driver's license numbers to be accessed without authorization. "We have no evidence to suggest that your driver's license number has been misused but we are providing this notice as a precaution to inform potentially affected individuals and share some steps you can take to help protect yourself," the company's notification letter reads. The insurer is providing the impacted individuals with 12 months of free credit monitoring and identity protection services.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: Car rental giant Hertz has begun notifying its customers of a data breach that included their personal information and driver's licenses. The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors between October 2024 and December 2024. The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers. Notices on Hertz's websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom. Hertz also disclosed the breach with several U.S. states, including California and Maine. Hertz said at least 3,400 customers in Maine were affected but did not list the total number of affected individuals, which is likely to be significantly higher. Emily Spencer, a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be "inaccurate to say millions" of customers are affected. The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.

Read more of this story at Slashdot.

Newcomer: Keith O'Brien, the man who allegedly spied for Deel while working at Rippling, is apparently clearing his conscience, according to a sworn Irish affidavit. O'Brien says in the affidavit that Deel paid him to spy on Rippling and that he coordinated directly with Deel's CEO, Alex Bouaziz. For some background, Alex Bouaziz is Deel's CEO and Philippe Bouaziz is his father, Deel's CFO. Rippling, which competes directly with Deel, has sued Deel over the alleged spying. O'Brien says in the affidavit: I decided to cooperate after I got a text from a friend on March 25, 2025 saying, "the truth will set you free." I was also driving with a family member to meet my solicitors and she told me that if I had done something wrong that I should "just tell the truth." I was having bad thoughts at the time; it was a horrible time for me. I was getting sick concealing this lie. I realised that I was harming myself and my family to protect Deel. I was concerned, and I am still concerned, about how wealthy and powerful Alex and Philippe are, but I know that what I was doing was wrong. After I spoke with my solicitors at Fenecas Law, I started to feel a sense of relief. I want to do what I can to start making amends and righting these wrongs. Deel CEO allegedly agreed to pay O'Brien 5000 euros a month.

Read more of this story at Slashdot.

The FTC has warned that any buyer of 23andMe must honor the company's current privacy policy, which ensures consumers retain control over their genetic data and can delete it at will. FTC Chair Andrew Ferguson emphasized that such promises must be upheld, given the uniquely sensitive and immutable nature of genetic information. The Record reports: The letter, sent to the DOJ's United States Trustee Program, highlights several assurances 23andMe makes in its privacy policy, including that users are in control of their data and can determine how and for what purposes it is used. The company also gives users the ability to delete their data at will, the letter says, arguing that 23andMe has made "direct representations" to consumers about how it uses, shares and safeguards their personal information, including in the case of bankruptcy. Pointing to statements that the company's leadership has made asserting that user data should be considered an asset, Ferguson highlighted that 23andMe's privacy statement tells users it does not share their data with insurers, employers, public databases or law enforcement without a court order, search warrant or subpoena. It also promises consumers that it only shares their personal data in cases where it is needed to provide services, Ferguson added. The genetic testing and ancestry company is explicit that its data protection guidelines apply to new entities it may be sold or transferred to, Ferguson said.

Read more of this story at Slashdot.

Bruce66423 shares a report from the BBC: A former GCHQ intern has admitted risking national security by taking top secret data home with him on his mobile phone. Hasaan Arshad, 25, pleaded guilty to an offence under the Computer Misuse Act on what would have been the first day of his trial at the Old Bailey in London. The charge related to committing an unauthorised act which risked damaging national security. Arshad, from Rochdale in Greater Manchester, is said to have transferred sensitive data from a secure computer to his phone, which he had taken into a top secret area of GCHQ on 24 August 2022. [...] The court heard that Arshad took his work mobile into a top secret GCHQ area and connected it to work station. He then transferred sensitive data from a secure, top secret computer to the phone before taking it home, it was claimed. Arshad then transferred the data from the phone to a hard drive connected to his personal home computer. "Seriously? What on earth was the UK's equivalent of the NSA doing allowing its hardware to carry out such a transfer?" questions Bruce66423.

Read more of this story at Slashdot.

An anonymous reader shares a report: A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer, Indiana University, and had his homes raided by the FBI. No one knows why. Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there. He has also co-authored scores of academic papers on a diverse range of research fields, including cryptography, systems security, and data privacy, including the protection of human genomic data.

Read more of this story at Slashdot.

"Researchers have discovered nearly 1.5 million pictures from specialist dating apps — many of which are explicit — being stored online without password protection," reports the BBC, "leaving them vulnerable to hackers and extortionists." And the images weren't limited to those from profiles, the BBC learned from the ethical hacker who discovered the issue. "They included pictures which had been sent privately in messages, and even some which had been removed by moderators..." Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile [including two kink/BDSM sites and two LGBT apps]... These services are used by an estimated 800,000 to 900,000 people. M.A.D Mobile was first warned about the security flaw on 20th January but didn't take action until the BBC emailed on Friday. They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services... None of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more complex. In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring. But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash. "Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it..."

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Verge: A concert on Monday night at New York's Radio City Music Hall was a special occasion for Frank Miller: his parents' wedding anniversary. He didn't end up seeing the show -- and before he could even get past security, he was informed that he was in fact banned for life from the venue and all other properties owned by Madison Square Garden (MSG). After scanning his ticket and promptly being pulled aside by security, Miller was told by staff that he was barred from the MSG properties for an incident at the Garden in 2021. But Miller says he hasn't been to the venue in nearly two decades. "They hand me a piece of paper letting me know that I've been added to a ban list," Miller says. "There's a trespass notice if I ever show up on any MSG property ever again," which includes venues like Radio City, the Beacon Theatre, the Sphere, and the Chicago Theatre. He was baffled at first. Then it dawned on him: this was probably about a T-shirt he designed years ago. MSG Entertainment won't say what happened with Miller or how he was picked out of the crowd, but he suspects he was identified via controversial facial recognition systems that the company deploys at its venues. In 2017, 1990s New York Knicks star Charles Oakley was forcibly removed from his seat near Knicks owner and Madison Square Garden CEO James Dolan. The high-profile incident later spiraled into an ongoing legal battle. For Miller, Oakley was an "integral" part of the '90s Knicks, he says. With his background in graphic design, he made a shirt in the style of the old team logo that read, "Ban Dolan" -- a reference to the infamous scuffle. A few years later, in 2021, a friend of Miller's wore a Ban Dolan shirt to a Knicks game and was kicked out and banned from future events. That incident spawned ESPN segments and news articles and validated what many fans saw as a pettiness on Dolan and MSG's part for going after individual fans who criticized team ownership. "Frank Miller Jr. made threats against an MSG executive on social media and produced and sold merchandise that was offensive in nature," Mikyl Cordova, executive vice president of communications and marketing for the company, said in an emailed statement. "His behavior was disrespectful and disruptive and in violation of our code of conduct." Miller responded to the ban, saying: "I just found it comical, until I was told that my mom was crying [in the lobby]. I was like, 'Oh man, I ruined their anniversary with my shit talk on the internet. Memes are powerful, and so is the surveillance state. It's something that we all have to be aware of -- the panopticon. We're [being] surveilled at all times, and it's always framed as a safety thing, when rarely is that the case. It's more of a deterrent and a fear tactic to try to keep people in line."

Read more of this story at Slashdot.