A couple months ago, YouTuber Benn Jordan "found vulnerabilities in some of Flock's license plate reader cameras," reports 404 Media's Jason Koebler. "He reached out to me to tell me he had learned that some of Flock's Condor cameras were left live-streaming to the open internet." This led to a remarkable article where Koebler confirmed the breach by visiting a Flock surveillance camera mounted on a California traffic signal. ("On my phone, I am watching myself in real time as the camera records and livestreams me — without any password or login — to the open internet... Hundreds of miles away, my colleagues are remotely watching me too through the exposed feed.") Flock left livestreams and administrator control panels for at least 60 of its AI-enabled Condor cameras around the country exposed to the open internet, where anyone could watch them, download 30 days worth of video archive, and change settings, see log files, and run diagnostics. Unlike many of Flock's cameras, which are designed to capture license plates as people drive by, Flock's Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on people's faces... The exposure was initially discovered by YouTuber and technologist Benn Jordan and was shared with security researcher Jon "GainSec" Gaines, who recently found numerous vulnerabilities in several other models of Flock's automated license plate reader (ALPR) cameras. Jordan appeared this week as a guest on Koebler's own YouTube channel, while Jordan released a video of his own about the experience. titled "We Hacked Flock Safety Cameras in under 30 Seconds." (Thanks to Slashdot reader beadon for sharing the link.) But together Jordan and 404 Media also created another video three weeks ago titled "The Flock Camera Leak is Like Netflix for Stalkers" which includes footage he says was "completely accessible at the time Flock Safety was telling cities that the devices are secure after they're deployed." The video decries cities "too lazy to conduct their own security audit or research the efficacy versus risk," but also calls weak security "an industry-wide problem." Jordan explains in the video how he "very easily found the administration interfaces for dozens of Flock safety cameras..." — but also what happened next: None of the data or video footage was encrypted. There was no username or password required. These were all completely public-facing, for the world to see.... Making any modification to the cameras is illegal, so I didn't do this. But I had the ability to delete any of the video footage or evidence by simply pressing a button. I could see the paths where all of the evidence files were located on the file system... During and after the process of conducting that research and making that video, I was visited by the police and had what I believed to be private investigators outside my home photographing me and my property and bothering my neighbors. John Gaines or GainSec, the brains behind most of this research, lost employment within 48 hours of the video being released. And the sad reality is that I don't view these things as consequences or punishment for researching security vulnerabilities. I view these as consequences and punishment for doing it ethically and transparently. I've been contacted by people on or communicating with civic councils who found my videos concerning, and they shared Flock Safety's response with me. The company claimed that the devices in my video did not reflect the security standards of the ones being publicly deployed. The CEO even posted on LinkedIn and boasted about Flock Safety's security policies. So, I formally and publicly offered to personally fund security research into Flock Safety's deployed ecosystem. But the law prevents me from touching their live devices. So, all I needed was their permission so I wouldn't get arrested. And I was even willing to let them supervise this research. I got no response. So instead, he read Flock's official response to a security/surveillance industry research group — while standing in front of one of their security cameras, streaming his reading to the public internet. "Might as well. It's my tax dollars that paid for it." " 'Flock is committed to continuously improving security...'"

Read more of this story at Slashdot.

Illinois Department of Human Services disclosed that a misconfigured internal mapping website exposed sensitive personal data for more than 700,000 Illinois residents for over four years, from April 2021 to September 2025. Officials say they can't confirm whether the publicly accessible data was ever viewed. TechCrunch reports: Officials said the exposed data included personal information on 672,616 individuals who are Medicaid and Medicare Savings Program recipients. The data included their addresses, case numbers, and demographic data -- but not individuals' names. The exposed data also included names, addresses, case statuses, and other information relating to 32,401 individuals in receipt of services from the department's Division of Rehabilitation Services.

Read more of this story at Slashdot.

Texas Attorney General Ken Paxton has secured a temporary restraining order against Samsung, blocking the company from continuing to collect data through its smart TVs' Automated Content Recognition technology. The ACR system captured screenshots of what users were watching every 500 milliseconds, according to the state's lawsuit, and did so without consumer knowledge or consent. The District Court found good cause to believe Samsung's actions violated the Texas Deceptive Trade Practices Act. The TRO prohibits Samsung and any parties working in concert with the company from using, selling, transferring, collecting, or sharing ACR data tied to Texas consumers. Samsung is one of five major TV manufacturers the Texas Attorney General's office has sued over ACR deployment. Paxton previously secured a similar order against Hisense.

Read more of this story at Slashdot.

schwit1 shares a report from Gothamist: Wegmans in New York City has begun collecting biometric data from anyone who enters its supermarkets, according to new signage posted at the chain's Manhattan and Brooklyn locations earlier this month. Anyone entering the store could have data on their face, eyes and voices collected and stored by the Rochester-headquartered supermarket chain. The information is used to "protect the safety and security of our patrons and employees," according to the signage. The new scanning policy is an expansion of a 2024 pilot. The chain had initially said that the scanning system was only for a small group of employees and promised to delete any biometric data it collected from shoppers during the pilot rollout. The new notice makes no such assurances. Wegmans representatives did not reply to questions about how the data would be stored, why it changed its policy or if it would share the data with law enforcement.

Read more of this story at Slashdot.

While California's residents have had the right to demand companies stop collecting/selling their data since 2020, doing so used to require a laborious opting out with each individual company," reports TechCrunch. But now Californians can make "a single request that more than 500 registered data brokers delete their information" — using the Delete Requests and Opt-Out Platform (or DROP): Once DROP users verify that they are California residents, they can submit a deletion request that will go to all current and future data brokers registered with the state... Brokers are supposed to start processing requests in August 2026, then they have 90 days to actually process requests and report back. If they don't delete your data, you'll have the option to submit additional information that may help them locate your records. Companies will also be able to keep first-party data that they've collected from users. It's only brokers who seek to buy or sell that data — which can include your social security number, browsing history, email address, phone number, and more — who will be required to delete it... The California Privacy Protection Agency says that in addition to giving residents more control over their data, the tool could result in fewer "unwanted texts, calls, or emails" and also decrease the "risk of identity theft, fraud, AI impersonations, or that your data is leaked or hacked."

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: Across Uzbekistan, a network of about a hundred banks of high-resolution roadside cameras continuously scan vehicles' license plates and their occupants, sometimes thousands a day, looking for potential traffic violations. Cars running red lights, drivers not wearing their seatbelts, and unlicensed vehicles driving at night, to name a few. The driver of one of the most surveilled vehicles in the system was tracked over six months as he traveled between the eastern city of Chirchiq, through the capital Tashkent, and in the nearby settlement of Eshonguzar, often multiple times a week. We know this because the country's sprawling license plate-tracking surveillance system has been left exposed to the internet. Security researcher Anurag Sen, who discovered the security lapse, found the license plate surveillance system exposed online without a password, allowing anyone access to the data within. It's not clear how long the surveillance system has been public, but artifacts from the system show that its database was set up in September 2024, and traffic monitoring began in mid-2025. The exposure offers a rare glimpse into how such national license plate surveillance systems work, the data they collect, and how they can be used to track the whereabouts of any one of the millions of people across an entire country. The lapse also reveals the security and privacy risks associated with the mass monitoring of vehicles and their owners, at a time when the United States is building up its nationwide array of license plate readers, many of which are provided by surveillance giant Flock.

Read more of this story at Slashdot.

Hackers breached approximately 120,000 IP cameras across South Korea and allegedly sold footage captured from private homes, gynecology offices, breastfeeding rooms and massage parlors to an overseas pornography website, prompting an interagency government task force to announce sweeping reforms on December 7. Police believe one suspect alone hacked 63,000 cameras and produced 545 videos that netted him 35 million won ($24,000) in cryptocurrency; a second suspect, operating independently, compromised 70,000 devices and earned 18 million won from 648 videos. The footage accounted for 62% of all content on the website, which maintains a dedicated "Korean" category. A government survey found that only 59% of installation companies consistently carried out mandatory security measures such as changing default passwords. Lawmakers are now pursuing legislation requiring security-certified IP cameras in sensitive facilities.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Wall Street Journal: The alleged perpetrator had improper access to virtually every South Korean adult's personal information: names, phone numbers and even the keycode to enter residential buildings. It was one of the biggest data breaches of recent years and it has sent the company it targeted -- Coupang, South Korea's equivalent of Amazon -- reeling, generating lawsuits, government investigation and calls to toughen penalties against such leaks. The leak went undetected for nearly five months, hitting Coupang's radar on Nov. 18 only after a customer flagged suspicious activity. At first, Coupang, which was founded by a Korean-American entrepreneur, said it had experienced a data "exposure" affecting roughly 4,500 customer accounts. But within days, the e-commerce firm revised the figure: The leak exposed up to roughly 34 million user accounts in South Korea -- a sum representing more than 90% of the country's working-age population. Coupang started calling the incident a "leak" after Korean regulators took issue with the company's prior word choice. "The Whole Nation Is a Victim," read one local news headline. An investigation has found that the alleged perpetrator had once worked in South Korea as a software developer for authentication systems at Coupang, which is known for its blockbuster U.S. initial public offering a few years ago. The suspected leaker is believed to be a Chinese national who has moved back to China and is now on the lam, South Korean officials say. They haven't named the person. Even after leaving the firm roughly a year ago, the suspect secretly held on to an internal authentication key that granted him unfettered access to the personal information of Coupang users, South Korean authorities and lawmakers say. The infiltration, using overseas servers, started on June 24. By using the login credentials, the suspect was able to appear as if he were still a Coupang employee when accessing the company's systems.

Read more of this story at Slashdot.

A former Chinese official who fled to the U.S. says Beijing has used advanced surveillance technology from U.S. companies to track, intimidate, and punish him and his family across borders. ABC News reports: Retired Chinese official Li Chuanliang was recuperating from cancer on a Korean resort island when he got an urgent call: Don't return to China, a friend warned. You're now a fugitive. Days later, a stranger snapped a photo of Li in a cafe. Terrified South Korea would send him back, Li fled, flew to the U.S. on a tourist visa and applied for asylum. But even there -- in New York, in California, deep in the Texas desert -- the Chinese government continued to hunt him down with the help of surveillance technology. Li's communications were monitored, his assets seized and his movements followed in police databases. More than 40 friends and relatives -- including his pregnant daughter -- were identified and detained, even by tracking down their cab drivers through facial recognition software. Three former associates died in detention, and for months shadowy men Li believed to be Chinese operatives stalked him across continents, interviews and documents seen by The Associated Press show. The Chinese government is using an increasingly powerful tool to cement its power at home and vastly amplify it abroad: Surveillance technology, much of it originating in the U.S., an AP investigation has found. Within China, this technology helped identify and punish almost 900,000 officials last year alone, nearly five times more than in 2012, according to state numbers. Beijing says it is cracking down on corruption, but critics charge that such technology is used in China and elsewhere to stifle dissent and exact retribution on perceived enemies. Outside China, the same technology is being used to threaten wayward officials, along with dissidents and alleged criminals, under what authorities call Operations "Fox Hunt" and "Sky Net." The U.S. has criticized these overseas operations as a "threat" and an "affront to national sovereignty." More than 14,000 people, including some 3,000 officials, have been brought back to China from more than 120 countries through coercion, arrests and pressure on relatives, according to state information.

Read more of this story at Slashdot.

Online retailer Coupang, often called South Korea's Amazon, is dealing with the fallout from a breach that exposed the personal information of more than 33 million accounts -- roughly two-thirds of the country's population -- after a former contractor allegedly used credentials that remained active months after his departure to access customer data through the company's overseas servers. The breach began in June but went undetected until November 18, according to Coupang and investigators. Police have called it South Korea's worst-ever data breach. The compromised information includes names, phone numbers, email addresses and shipping addresses, though the company says login credentials, credit card numbers, and payment details were not affected. Coupang's former CEO Park Dae-jun told a parliamentary hearing that the alleged perpetrator was a Chinese national who had worked on authentication tasks before his contract ended last December. Chief information security officer Brett Matthes testified that the individual had a "privileged role" giving him access to a private encryption key that allowed him to forge tokens to impersonate customers. Legislators say the key remained active after the employee left. The CEO of Coupang's South Korean subsidiary has resigned. Founder and chair Bom Kim has yet to personally apologize but has been summoned to a second parliamentary hearing.

Read more of this story at Slashdot.

joshuark shares a report from BleepingComputer: More than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys. After scanning container images uploaded to Docker Hub in November, security researchers at threat intelligence company Flare found that 10,456 of them exposed one or more keys. The most frequent secrets were access tokens for various AI models (OpenAI, HuggingFace, Anthropic, Gemini, Groq). In total, the researchers found 4,000 such keys. "These multi-secret exposures represent critical risks, as they often provide full access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components," Flare notes. [...] Additionally, they found hardcoded API tokens for AI services being hardcoded in Python application files, config.json files, YAML configs, GitHub tokens, and credentials for multiple internal environments. Some of the sensitive data was present in the manifest of Docker images, a file that provides details about the image.Flare notes that roughly 25% of developers who accidentally exposed secrets on Docker Hub realized the mistake and removed the leaked secret from the container or manifest file within 48 hours. However, in 75% of these cases, the leaked key was not revoked, meaning that anyone who stole it during the exposure period could still use it later to mount attacks. Flare suggests that developers avoid storing secrets in container images, stop using static, long-lived credentials, and centralize their secrets management using a dedicated vault or secrets manager. Organizations should implement active scanning across the entire software development life cycle and revoke exposed secrets and invalidate old sessions immediately.

Read more of this story at Slashdot.

"Woman Hailed as Hero for Smashing Man's Meta Smart Glasses on Subway," reads the headline at Futurism: As Daily Dot reports, a New York subway rider has accused a woman of breaking his Meta smart glasses. "She just broke my Meta glasses," said the TikTok user, who goes by eth8n, in a video that has since garnered millions of views. "You're going to be famous on the internet!" he shouted at her through the window after getting off the train. The accused woman, however, peered back at him completely unfazed, as if to say that he had it coming. "I was making a funny noise people were honestly crying laughing at," he claimed in the caption of a followup video. "She was the only person annoyed..." But instead of coming to his support, the internet wholeheartedly rallied behind the alleged perpetrator, celebrating the woman as a folk hero — and perfectly highlighting how the public feels about gadgets like Meta's smart glasses. "Good, people are tired of being filmed by strangers," one user commented. "The fact that no one else on the train is defending him is telling," another wrote... Others accused the man of fabricating details of the incident. "'People were crying laughing' — I've never heard a less plausible NYC subway story," one user wrote. In a comment on TikTok, the man acknowledges he'd filmed her on the subway — it looks like he even zoomed in. The man says then her other options were "asking nicely to not post it or blur my face". He also warns that she could get arrested for breaking his glasses if he "felt like it". (And if he sees her again.) "I filed a claim with the police and it's a misdemeanor charge." A subsequent video's captions describe him unboxing new Meta smartglasses "and I'm about to do my thing again... no crazy lady can stop me now." I'm imagining being mugged — and then telling the mugger "You're going to be internet famous!" But maybe that just shows how easy it is to weaponize smartglasses and their potential for vast public exposure.

Read more of this story at Slashdot.

India is weighing a proposal to mandate always-on satellite tracking in smartphones for precise government surveillance -- an idea strongly opposed by Apple, Google, Samsung, and industry groups. Reuters reports: For years, the [Prime Minister Narendra Modi's] administration has been concerned its agencies do not get precise locations when legal requests are made to telecom firms during investigations. Under the current system, the firms are limited to using cellular tower data that can only provide an estimated area location, which can be off by several meters. The Cellular Operators Association of India (COAI), which represents Reliance's Jio and Bharti Airtel, has proposed that precise user locations should only be provided if the government orders smartphone makers to activate A-GPS technology -- which uses satellite signals and cellular data -- according to a June internal federal IT ministry email. That would require location services to always be activated in smartphones with no option for users to disable them. Apple, Samsung, and Alphabet's Google have told New Delhi that should not be mandated, said three of the sources who have direct knowledge of the deliberations. A measure to track device-level location has no precedent anywhere else in the world, lobbying group India Cellular & Electronics Association (ICEA), which represents both Apple and Google, wrote in a confidential July letter to the government, which was viewed by Reuters. "The A-GPS network service ... (is) not deployed or supported for location surveillance," said the letter, which added that the measure "would be a regulatory overreach." Earlier this week, Modi's government was forced to rescind an order requiring smartphone makers to preload a state-run cyber safety app on all devices after public backlash and privacy concerns.

Read more of this story at Slashdot.

India has withdrawn its order requiring Apple and other smartphone makers to preinstall the government's Sanchar Saathi app after public backlash and privacy concerns. AppleInsider reports: On November 28, the India Ministry of Communication issued a secret directive to Apple and other smartphone manufacturers, requiring the preinstallation of a government-backed app. Less than a week later, the order has been rescinded. The withdrawal on Wednesday means Apple doesn't have to preload the Sanchar Saathi app onto iPhones sold in the country, in a way that couldn't be "disabled or restricted." [...] In pulling back from the demand, the government insisted that the app had an "increasing acceptance" among citizens. There was a tenfold spike of new user registrations on Tuesday alone, with over 600,000 new users made aware of the app from the public debacle. India Minister of Communications Jyotiraditya Scindia took a moment to insist that concerns the app could be used for increased surveillance were unfounded. "Snooping is neither possible nor will it happen" with the app, Scindia claimed. "This is a welcome development, but we are still awaiting the full text of the legal order that should accompany this announcement, including any revised directions under the Cyber Security Rules, 2024," said the Internet Freedom Foundation. It is treating the news with "cautious optimism, not closure," until formalities conclude. However, while promising, the backdown doesn't stop India from retrying something similar or another tactic in the future.

Read more of this story at Slashdot.

Apple does not plan to comply with India's mandate to preload its smartphones with a state-owned cyber safety app that cannot be disabled. According to Reuters, the order "sparked surveillance concerns and a political uproar" after it was revealed on Monday. From the report: In the wake of the criticism, India's telecom minister Jyotiraditya M. Scindia on Tuesday said the app was a "voluntary and democratic system," adding that users can choose to activate it and can "easily delete it from their phone at any time." At present, the app can be deleted by users. Scindia did not comment on or clarify the November 28 confidential directive that ordered smartphone makers to start preloading it and ensure "its functionalities are not disabled or restricted." Apple however does not plan to comply with the directive and will tell the government it does not follow such mandates anywhere in the world as they raise a host of privacy and security issues for the company's iOS ecosystem, said two of the industry sources who are familiar with Apple's concerns. They declined to be named publicly as the company's strategy is private. "Its not only like taking a sledgehammer, this is like a double-barrel gun," said the first source.

Read more of this story at Slashdot.

An anonymous reader quotes a report from 404 Media: Flock, the automatic license plate reader and AI-powered camera company, uses overseas workers from Upwork to train its machine learning algorithms, with training material telling workers how to review and categorize footage including images people and vehicles in the United States, according to material reviewed by 404 Media that was accidentally exposed by the company. The findings bring up questions about who exactly has access to footage collected by Flock surveillance cameras and where people reviewing the footage may be based. Flock has become a pervasive technology in the US, with its cameras present in thousands of communities that cops use every day to investigate things like carjackings. Local police have also performed numerous lookups for ICE in the system. Companies that use AI or machine learning regularly turn to overseas workers to train their algorithms, often because the labor is cheaper than hiring domestically. But the nature of Flock's business -- creating a surveillance system that constantly monitors US residents' movements -- means that footage might be more sensitive than other AI training jobs. [...] Broadly, Flock uses AI or machine learning to automatically detect license plates, vehicles, and people, including what clothes they are wearing, from camera footage. A Flock patent also mentions cameras detecting "race." It included figures on "annotations completed" and "annotator tasks remaining in queue," with annotations being the notes workers add to reviewed footage to help train AI algorithms. Tasks include categorizing vehicle makes, colors, and types, transcribing license plates, and "audio tasks." Flock recently started advertising a feature that will detect "screaming." The panel showed workers sometimes completed thousands upon thousands of annotations over two day periods. The exposed panel included a list of people tasked with annotating Flock's footage. Taking those names, 404 Media found some were located in the Philippines, according to their LinkedIn and other online profiles. Many of these people were employed through Upwork, according to the exposed material. Upwork is a gig and freelance work platform where companies can hire designers and writers or pay for "AI services," according to Upwork's website. The tipsters also pointed to several publicly available Flock presentations which explained in more detail how workers were to categorize the footage. It is not clear what specific camera footage Flock's AI workers are reviewing. But screenshots included in the worker guides show numerous images from vehicles with US plates, including in New York, Michigan, Florida, New Jersey, and California. Other images include road signs clearly showing the footage is taken from inside the US, and one image contains an advertisement for a specific law firm in Atlanta.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: South Korean e-commerce platform Coupang over the weekend said nearly 34 million Korean customers' personal information had been leaked in a data breach that had been ongoing for more than five months. The company said it first detected the unauthorized exposure of 4,500 user accounts on November 18, but a subsequent investigation revealed that the breach had actually compromised about 33.7 million customer accounts in South Korea. The breach affected customers' names, email addresses, phone numbers, shipping addresses, and certain order histories, per Coupang. More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure, the company said. [...] Police have reportedly identified at least one suspect, a former Chinese Coupang employee now abroad, after launching an investigation following a November 18 complaint.

Read more of this story at Slashdot.