An anonymous reader quotes a report from Axios: Tinder is mandating new users in California verify their profiles using facial recognition technology starting Monday, executives exclusively tell Axios. The move aims to reduce impersonation and is part of Tinder parent Match Group's broader effort to improve trust and safety amid ongoing user frustration. The Face Check feature prompts users to take a short video selfie during onboarding. The biometric face scan, powered by FaceTec, then confirms the person is real and present and whether their face matches their profile photos. It also checks if the face is used across multiple accounts. If the criteria are met, the user receives a photo verified badge on their profile. The selfie video is then deleted. Tinder stores a non-reversible, encrypted face map to detect duplicate profiles in the future.

Face Check is separate from Tinder's ID Check, which uses a government-issued ID to verify age and identity. "We see this as one part of a set of identity assurance options that are available to users," Match Group's head of trust and safety Yoel Roth says. "Face Check ... is really meant to be about confirming that this person is a real, live person and not a bot or a spoofed account." "Even if in the short term, it has the effect of potentially reducing some top-line user metrics, we think it's the right thing to do for the business," Rascoff said.

Encrypted communications provider Proton has joined an antitrust lawsuit against Apple, filing a legal complaint that claims the company's App Store practices harm developers, consumers, and privacy. The Switzerland-based firm joined a group of Korean developers who sued Apple in May rather than filing a separate case.

Proton asked the US District Court for Northern California to require Apple to allow alternative app stores, expose those stores through its own App Store, permit developers to disable Apple's in-app payment system, and provide full access to Apple APIs. The company added a privacy-focused argument to typical antitrust complaints, contending that Apple's pricing model particularly penalizes companies that refuse to harvest user data. Developers of free apps typically sell user data to cover costs, while privacy-focused companies like Proton must charge subscriptions for revenue, making Apple's commission cuts more burdensome.

An anonymous reader quotes a report from TechCrunch: The U.S. Department of Justice announced on Monday that it had taken several enforcement actions against North Korea's money-making operations, which rely on undercover remote IT workers inside American tech companies to raise funds for the regime's nuclear weapons program, as well as to steal data and cryptocurrency. As part of the DOJ's multi-state effort, the government announced the arrest and indictment of U.S. national Zhenxing "Danny" Wang, who allegedly ran a years-long fraud scheme from New Jersey to sneak remote North Korean IT workers inside U.S. tech companies. According to the indictment, the scheme generated more than $5 million in revenue for the North Korean regime. [...]

From 2021 until 2024, the co-conspirators allegedly impersonated more than 80 U.S. individuals to get remote jobs at more than 100 American companies, causing $3 million in damages due to legal fees, data breach remediation efforts, and more. The group is said to have run laptop farms inside the United States, which the North Korean IT workers could essentially use as proxies to hide their provenance, according to the DOJ. At times, they used hardware devices known as keyboard-video-mouse (KVM) switches, which allow one person to control multiple computers from a single keyboard and mouse. The group allegedly also ran shell companies inside the U.S. to make it seem like the North Korean IT workers were affiliated with legitimate local companies, and to receive money that would then be transferred abroad, the DOJ said.

The fraudulent scheme allegedly also involved the North Korean workers stealing sensitive data, such as source code, from the companies they were working for, such as from an unnamed California-based defense contractor "that develops artificial intelligence-powered equipment and technologies."

TorrentFreak spotlights VP.net, a brand-new service from Private Internet Access founder Andrew Lee (the guy who gifted Linux Journal to Slashdot) that eliminates the classic "just trust your VPN" problem by locking identity-mapping and traffic-handling inside Intel SGX enclaves. The company promises 'cryptographically verifiable privacy' by using special hardware 'safes' (Intel SGX), so even the provider can't track what its users are up to.

The design goal is that no one, not even the VPN company, can link "User X" to "Website Y."

Lee frames it as enabling agency over one's privacy:

"Our zero trust solution does not require you to trust us - and that's how it should be. Your privacy should be up to your choice - not up to some random VPN provider in some random foreign country."
The team behind VP.net includes CEO Matt Kim as well as arguably the first Bitcoin veterans Roger Ver and Mark Karpeles.

Ask Slashdot: Now that there's a VPN where you don't have to "just trust the provider" - arguably the first real zero-trust VPN - are trust based VPNs obsolete?

The Free Software Foundation is a non-profit — and they're having some fun with it.

They've just announced a summer fundraiser, "and that means the GNU Press Shop is open!" From now until July 28, you can buy your FSF gear at the GNU Press shop. First and foremost, there's the launch of the FSF's fortieth anniversary shirt in a summery yellow. We're taking orders for a limited time for these (until July 28), and then printing them — you should have yours on your shoulders a few weeks after the shop closes.

We've also restocked some favorites in the shop:

- A fresh batch of the popular Ada & Zangemann: A Tale of Software, Skateboards, and Raspberry Ice Cream book by Matthias Kirschner from the Free Software Foundation Europe (FSFE). This tale of software, skateboards, and raspberry ice cream teaches kids how neat and exciting it is having control over your software, a perfect fun summer read!

- Reading is hard in the glaring sun, so shade your eyes with a freshly restocked GNU baseball cap in pitch black with brilliant gold embroidery. These are great for wearing anywhere, especially to free software events.

- For privacy, protect yourself from surveillance with ease and panache with this slick webcam guard.

We also hope you'll consider becoming an FSF associate member, putting yourself at the heart of our commitment to ensuring a world where all software respects our freedom and dignity. Plus, you'll help us reach our summer fundraising goal of 200 new associate members before July 11, and of course you'll also receive a 20% discount at the GNU Press Shop. A note about shipping: the GNU Press shop opens periodically, and we collect all orders during this time and schedule orders to be sent out on specific shipping dates with the help of volunteers. We will be doing the shipping at the end of the FSF's fundraiser, which means there will be a delay between placing your order and receiving it...

If you happen to be in the Boston area in July, and would like to support the FSF's work, we are looking for volunteers to help pack and ship our orders.
Also on sale are the book "Free as in Freedom 2.0" (Richard Stallman's 2010 revision of the 2002 biography by Sam Williams with extensive additional commentary) and "Free Software Free Society: Selected Essays of Richard M. Stallman" (the 3rd edition published in 2015).

And there's also several other books, t-shirts, other FSF-branded gear, and even a sticker that warns people "There is no cloud... just other people's computers."

The Canadian government has ordered Chinese surveillance camera manufacturer Hikvision to cease operations in Canada over national security concerns, Industry Minister Melanie Joly said late on Friday. From a report: Hikvision, also known as Hangzhou Hikvision Digital Technology Co, has faced numerous sanctions and restrictions by Canada's neighbor, the United States, over the past five and a half years for the firm's dealings and the use of its equipment in China's Xinjiang region, where rights groups have documented abuses against the Uyghur population and other Muslim communities.

"The government has determined that Hikvision Canada's continued operations in Canada would be injurious to Canada's national security," Joly said on X, adding that the decision was taken after a multi-step review of information provided by Canada's security and intelligence community."

Steven J. Vaughan-Nichols writes in an opinion piece for The Register: Microsoft, tactically admitting it has failed at talking all the Windows 10 PC users into moving to Windows 11 after all, is -- sort of, kind of -- extending Windows 10 support for another year. For most users, that means they'll need to subscribe to Microsoft 365. This, in turn, means their data and meta-information will be kept in a US-based datacenter. That isn't sitting so well with many European Union (EU) organizations and companies. It doesn't sit that well with me or a lot of other people either.

A few years back, I wrote in these very pages that Microsoft didn't want you so much to buy Windows as subscribe to its cloud services and keep your data on its servers. If you wanted a real desktop operating system, Linux would be almost your only choice. Nothing has changed since then, except that folks are getting a wee bit more concerned about their privacy now that President Donald Trump is in charge of the US. You may have noticed that he and his regime love getting their hands on other people's data.

Privacy isn't the only issue. Can you trust Microsoft to deliver on its service promises under American political pressure? Ask the EU-based International Criminal Court (ICC) which after it issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu for war crimes, Trump imposed sanctions on the ICC. Soon afterward, ICC's chief prosecutor, Karim Khan, was reportedly locked out of his Microsoft email accounts. Coincidence? Some think not. Microsoft denies they had anything to do with this.

Peter Ganten, chairman of the German-based Open-Source Business Alliance (OSBA), opined that these sanctions ordered by the US which he alleged had been implemented by Microsoft "must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures." Microsoft chairman and general counsel, Brad Smith, had promised that it would stand behind its EU customers against political pressure. In the aftermath of the ICC reports, Smith declared Microsoft had not been "in any way [involved in] the cessation of services to the ICC." In the meantime, if you want to reach Khan, you'll find him on the privacy-first Swiss email provider, ProtonMail.

In short, besides all the other good reasons for people switching to the Linux desktop - security, Linux is now easy to use, and, thanks to Steam, you can do serious gaming on Linux - privacy has become much more critical. That's why several EU governments have decided that moving to the Linux desktop makes a lot of sense... Besides, all these governments know that switching from Windows 10 to 11 isn't cheap. While finances also play a role, and I always believe in "following the money" when it comes to such software decisions, there's no question that Europe is worried about just how trustworthy America and its companies are these days. Do you blame them? I don't. The shift to the Linux desktop is "nothing new," as Vaughan-Nichols notes. Munich launched its LiMux project back in 2004 and, despite ending it in 2017, reignited its open-source commitment by establishing a dedicated program office in 2024. In France, the gendarmerie now operates over 100,000 computers on a custom Ubuntu-based OS (GendBuntu), while the city of Lyon is transitioning to Linux and PostgreSQL.

More recently, Denmark announced it is dropping Windows and Office in favor of Linux and LibreOffice, citing digital sovereignty. The German state of Schleswig-Holstein is following suit, also moving away from Microsoft software. Meanwhile, a pan-European Linux OS (EU OS) based on Fedora Kinoite is being explored, with Linux Mint and openSUSE among the alternatives under consideration.

Facebook is prompting users to opt into a feature that uploads photos from their camera roll -- even those not shared on the platform -- to Meta's servers for AI-driven suggestions like collages and stylized edits. While Meta claims the content is private and not used for ads, opting in allows the company to analyze facial features and retain personal data under its broad AI terms, raising privacy concerns. TechCrunch reports: The feature is being suggested to Facebook users when they're creating a new Story on the social networking app. Here, a screen pops up and asks if the user will opt into "cloud processing" to allow creative suggestions. As the pop-up message explains, by clicking "Allow," you'll let Facebook generate new ideas from your camera roll, like collages, recaps, AI restylings, or photo themes. To work, Facebook says it will upload media from your camera roll to its cloud (meaning its servers) on an "ongoing basis," based on information like time, location, or themes.

The message also notes that only you can see the suggestions, and the media isn't used for ad targeting. However, by tapping "Allow," you are agreeing to Meta's AI Terms. This allows your media and facial features to be analyzed by AI, it says. The company will additionally use the date and presence of people or objects in your photos to craft its creative ideas. [...] According to Meta's AI Terms around image processing, "once shared, you agree that Meta will analyze those images, including facial features, using AI. This processing allows us to offer innovative new features, including the ability to summarize image contents, modify images, and generate new content based on the image," the text states.

The same AI terms also give Meta's AIs the right to "retain and use" any personal information you've shared in order to personalize its AI outputs. The company notes that it can review your interactions with its AIs, including conversations, and those reviews may be conducted by humans. The terms don't define what Meta considers personal information, beyond saying it includes "information you submit as Prompts, Feedback, or other Content." We have to wonder whether the photos you've shared for "cloud processing" also count here.

Germany's data protection commissioner has urged Apple and Google to remove Chinese AI startup DeepSeek from their app stores due to concerns about data protection. Reuters reports: Commissioner Meike Kamp said in a statement on Friday that she had made the request because DeepSeek illegally transfers users' personal data to China. The two U.S. tech giants must now review the request promptly and decide whether to block the app in Germany, she added, though her office has not set a precise timeframe. According to its own privacy policy, DeepSeek stores numerous pieces of personal data, such as requests to its AI program or uploaded files, on computers in China.

"DeepSeek has not been able to provide my agency with convincing evidence that German users' data is protected in China to a level equivalent to that in the European Union," [Commissioner Meike Kamp] said. "Chinese authorities have far-reaching access rights to personal data within the sphere of influence of Chinese companies," she added. The commissioner said she took the decision after asking DeepSeek in May to meet the requirements for non-EU data transfers or else voluntarily withdraw its app. DeepSeek did not comply with this request, she added.

An anonymous reader quotes a report from SecurityWeek: Hundreds of printer models from Brother and other vendors are impacted by potentially serious vulnerabilities discovered by researchers at Rapid7. The cybersecurity firm revealed on Wednesday that its researchers identified eight vulnerabilities affecting multifunction printers made by Brother. The security holes have been found to impact 689 printer, scanner and label maker models from Brother, and some or all of the flaws also affect 46 Fujifilm Business Innovation, five Ricoh, six Konica Minolta, and two Toshiba printers. Overall, millions of enterprise and home printers are believed to be exposed to hacker attacks due to these vulnerabilities.

The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. "This is due to the discovery of the default password generation procedure used by Brother devices," Rapid7 explained. "This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process."

Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication. Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.

An anonymous reader quotes a report from Ars Technica: After sending cease-and-desist letters to VMware users whose support contracts had expired and who subsequently declined to subscribe to one of Broadcom's VMware bundles, Broadcom has started the process of conducting audits on former VMware customers. [...] Ars Technica reviewed a letter that a software provider and VMware user in the Netherlands received that is dated June 20 and informs the firm that it "has been selected for a formal audit of its use of VMware software and support services" [PDF]. The security professional who provided Ars with the letter asked to keep their name and their employers' name anonymous out of privacy concerns.

The anonymous employee told Ars that their company had been a VMware customer for "about" a decade before deciding not to sign up for a new contract with Broadcom's VMware a year ago. The company had been using VMware Cloud Foundation and vSphere. "Our CEO decided to not extend the support contract because of the costs," the employee said. "This already impacts us security-wise because we can no longer get updates (unless the CVSS score is critical)." The letter notes that an auditing firm, Connor Consulting, which is headquartered in San Francisco and has offices around the globe, will perform a review of the company's "VMware deployment and entitlements, which may include fieldwork or remote testing and meetings with members of your accounting, licensing, and management information systems functions." The letter informs its recipient that someone from Connor will reach out and that the VMware user should respond within three business days.

The letter, signed by Aiden Fitzgerald, director of global sales operations at Broadcom, claims that Broadcom will use its time "as efficiently and productively as possible to minimize disruption." Still, the security worker that Ars spoke with is concerned about the implications of the audit and said they "expect a big financial impact" for their employer. They added: "Because we are focusing on saving costs and are on a pretty tight financial budget, this will likely have impact on the salary negotiations or even layoffs of employees. Currently, we have some very stressed IT managers [and] legal department [employees] ..." The employee noted that they are unsure if their employer exceeded its license limits. If the firm did, it could face "big" financial repercussions, the worker noted.

U.S. lawmakers have reintroduced the bipartisan Open App Markets Act, aiming to curb Apple and Google's control over mobile app stores by promoting competition, supporting third-party marketplaces and sideloading, and safeguarding developer rights. AppleInsider reports: The Open App Markets Act seeks to do a number of things, including:
- Protect developers' rights to tell consumers about lower prices and offer competitive pricing;
- Protect sideloading of apps;
- Promote competition by opening the market to third-party app stores, startup apps, and alternative payment systems;
- Make it possible for developers to offer new experiences that take advantage of consumer device features;
- Give consumers greater control over their devices;
- Prevent app stores from disadvantaging developers; and
- Establish safeguards to preserve consumer privacy, security, and safety.

This isn't the first time we've seen this bill, either. In 2021, Senators Blumenthal, Klobuchar, and Blackburn had attempted to put forth the original version of the Open App Markets Act.However, the initial bill never made it to the floor for an office vote. Thanks to last-minute efforts by lobbying groups and appearances from chief executives, the bill eventually stalled out.

While the two bills are largely similar, the revised version introduces several key differences. Notably, the new version includes new carve-outs aimed at protecting intellectual property and addressing potential national security concerns.There's also a new clause that would prohibit punitive actions against developers for enabling remote access to other apps. The clause addition harkens back to the debacle between Apple and most game streaming services -- though in 2024, Apple loosened its App Store guidelines to allow cloud gaming and emulation.

There are a few new platform-protective clauses added, too. For instance, it would significantly lower the burden of proof for either Apple or Google to block platform access to a third-party app.Additionally, it reinforces the fact that companies like Apple or Google will not need to provide support or refunds for third-party apps installed outside of first-party app marketplaces. The full bill can be found here.

Psylo, a new privacy-focused iOS browser by Mysk, aims to defeat digital fingerprinting by isolating each browser tab with its own IP address, unique fingerprinting defenses, and proxy-based encryption. "Psylo stands out as it is the only WebKit-based iOS browser that truly isolates tabs," Tommy Mysk told The Register. "It's not only about separate storage and cookies. Psylo goes beyond that."

"This is why we call tabs 'silos.' It applies unique anti-fingerprinting measures per silo, such as canvas randomization. This way two Psylo tabs opening the same website would appear as though they originated on two different devices to the opened website." From the report: The company claims Psylo therefore offers better privacy than a VPN because the virtual networks mask the user's IP address but generally don't alter the data used for fingerprinting. Psylo, for example, will adjust the browser's time zone and browser language to match the geolocation of each proxy, resulting in more entropy that means fingerprints created by gathering data from silos will appear to be different.

The Mysk devs' post states that some privacy-focused browsers like Brave also implement anti-fingerprinting measures like canvas randomization, but those are more effective on the desktop macOS app due to Apple's iOS restrictions. They claim that they were able to achieve better results on iOS by using a client-side JavaScript solution. Mysk designed Psylo to minimize the information available to its maker. It doesn't log personally identifiable information or browsing data that the curious could use to identify the user, the company claims, noting that it also doesn't have customer payment information, which is handled by Apple. There are no user accounts, only randomized identifiers to indicate active subscriptions. According to Tommy Mysk, the only subscriber data kept is bandwidth usage, which is necessary to prevent abuse.

"We aggregate bandwidth usage based on a randomly generated ID that is created when a subscription is made," Mysk said. "The randomly generated ID is associated with the Apple subscription transaction. Apple doesn't share the identity of users making App Store purchases with developers." Asked whether Apple could identify users, Mysk said, "Theoretically and given a court order, Apple can figure out the randomly generated ID of the user in question. If we were to hand out the data associated with the randomly generated ID, it would only be the bandwidth usage of that user in the current month, and two months in the past. Older data is automatically deleted. "We don't associate any identifiable information with the randomly generated ID. We don't store IP addresses at all in every component of our system. We don't store websites visited by our users at all." The browser is only available on iOS and iPadOS, but Mysk says an Android version could be developed if there's enough interest. It costs $9.99 per month or $99 per year in the U.S.

An anonymous reader quotes a report from Ars Technica: After a court ordered OpenAI to "indefinitely" retain all ChatGPT logs, including deleted chats, of millions of users, two panicked users tried and failed to intervene. The order sought to preserve potential evidence in a copyright infringement lawsuit raised by news organizations. In May, Judge Ona Wang, who drafted the order, rejected the first user's request (PDF) on behalf of his company simply because the company should have hired a lawyer to draft the filing. But more recently, Wang rejected (PDF) a second claim from another ChatGPT user, and that order went into greater detail, revealing how the judge is considering opposition to the order ahead of oral arguments this week, which were urgently requested by OpenAI.

The second request (PDF) to intervene came from a ChatGPT user named Aidan Hunt, who said that he uses ChatGPT "from time to time," occasionally sending OpenAI "highly sensitive personal and commercial information in the course of using the service." In his filing, Hunt alleged that Wang's preservation order created a "nationwide mass surveillance program" affecting and potentially harming "all ChatGPT users," who received no warning that their deleted and anonymous chats were suddenly being retained. He warned that the order limiting retention to just ChatGPT outputs carried the same risks as including user inputs, since outputs "inherently reveal, and often explicitly restate, the input questions or topics input."

Hunt claimed that he only learned that ChatGPT was retaining this information -- despite policies specifying they would not -- by stumbling upon the news in an online forum. Feeling that his Fourth Amendment and due process rights were being infringed, Hunt sought to influence the court's decision and proposed a motion to vacate the order that said Wang's "order effectively requires Defendants to implement a mass surveillance program affecting all ChatGPT users." [...] OpenAI will have a chance to defend panicked users on June 26, when Wang hears oral arguments over the ChatGPT maker's concerns about the preservation order. In his filing, Hunt explained that among his worst fears is that the order will not be blocked and that chat data will be disclosed to news plaintiffs who may be motivated to publicly disseminate the deleted chats. That could happen if news organizations find evidence of deleted chats they say are likely to contain user attempts to generate full news articles.

Wang suggested that there is no risk at this time since no chat data has yet been disclosed to the news organizations. That could mean that ChatGPT users may have better luck intervening after chat data is shared, should OpenAI's fight to block the order this week fail. But that's likely no comfort to users like Hunt, who worry that OpenAI merely retaining the data -- even if it's never shared with news organizations -- could cause severe and irreparable harms. Some users appear to be questioning how hard OpenAI will fight. In particular, Hunt is worried that OpenAI may not prioritize defending users' privacy if other concerns -- like "financial costs of the case, desire for a quick resolution, and avoiding reputational damage" -- are deemed more important, his filing said.

An anonymous reader shares a report: AI firm DeepSeek is aiding China's military and intelligence operations, a senior U.S. official told Reuters, adding that the Chinese tech startup sought to use Southeast Asian shell companies to access high-end semiconductors that cannot be shipped to China under U.S. rules. The U.S. conclusions reflect a growing conviction in Washington that the capabilities behind the rapid rise of one of China's flagship AI enterprises may have been exaggerated and relied heavily on U.S. technology.

[...] "We understand that DeepSeek has willingly provided and will likely continue to provide support to China's military and intelligence operations," a senior State Department official told Reuters in an interview. "This effort goes above and beyond open-source access to DeepSeek's AI models," the official said, speaking on condition of anonymity in order to speak about U.S. government information. Chinese law requires companies operating in China to provide data to the government when requested. But the suggestion that DeepSeek is already doing so is likely to raise privacy and other concerns for the firm's tens of millions of daily global users.

An artist cancelled their Duolingo and Audible subscriptions to protest the companies' decisions to use more AI. "If enough people leave, hopefully they kind of rethink this," the artist tells the Washington Post.

And apparently, many more people feel the same way... In thousands of comments and posts about Audible and Duolingo that The Post reviewed across social media — including on Reddit, YouTube, Threads and TikTok — people threatened to cancel subscriptions, voiced concern for human translators and narrators, and said AI creates inferior experiences. "It destroys the purpose of humanity. We have so many amazing abilities to create art and music and just appreciate what's around us," said Kayla Ellsworth, a 21-year-old college student. "Some of the things that are the most important to us are being replaced by things that are not real...."

People in creative jobs are already on edge about the role AI is playing in their fields. On sites such as Etsy, clearly AI-generated art and other products are pushing out some original crafters who make a living on their creations. AI is being used to write romance novels and coloring books, design logos and make presentations... "I was promised tech would make everything easier so I could enjoy life," author Brittany Moone said. "Now it's leaving me all the dishes and the laundry so AI can make the art."
But will this turn into a consumer movement? The article also cites an assistant marketing professor at Washington State University, who found customers are now reacting negatively to the term "AI" in product descriptions — out of fear for losing their jobs (as well as concerns about quality and privacy). And he does predict this can change the way companies use AI.

"There will be some companies that are going to differentiate themselves by saying no to AI." And while it could be a niche market, "The people will be willing to pay more for things just made by humans."

An anonymous reader quotes a report from Ars Technica: Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare. The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.

Cloudflare said the attackers "carpet bombed" an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack. [...] Cloudflare said the record DDoS exploited various reflection or amplification vectors, including the previously mentioned Network Time Protocol; the Quote of the Day Protocol, which listens on UDP port 17 and responds with a short quote or message; the Echo Protocol, which responds with the same data it receives; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call. Cloudflare said the attack was also delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.

An anonymous reader quotes a report from Cybernews: Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials. The data most likely originates from various infostealers. Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.

Our team has been closely monitoring the web since the beginning of the year. So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a "mysterious database" with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.

"This is not just a leak -- it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets -- these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," researchers said. The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances. Key details to be aware of: - The records include billions of login credentials, often structured as URL, login, and password.
- The datasets include both old and recent breaches, many with cookies, tokens, and metadata, making them especially dangerous for organizations without multi-factor authentication or strong credential practices.
- Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
- The largest dataset alone includes 3.5 billion records, while one associated with the Russian Federation has over 455 million; many dataset names suggest links to malware or specific regions.
- Ownership of the leaked data is unclear, but its potential for phishing, identity theft, and ransomware is severe -- especially since even a - Basic cyber hygiene -- such as regularly updating strong passwords and scanning for malware -- is currently the best line of defense for users.

Iranian state television has instructed residents to delete WhatsApp from their smartphones, claiming the messaging platform gathers user information to share with Israel.

The local media provided no evidence supporting these allegations but additionally encouraged residents to avoid other "location-based" apps. WhatsApp has disputed the claims, with a spokesperson telling Time magazine the Meta-owned platform uses end-to-end encryption and does not track precise locations, keep messaging logs, or provide bulk information to governments.

The episode comes at a time when Iran is simultaneously experiencing a "near-total national Internet blackout," according to NetBlock, an internet governance monitoring organization. The disruption follows earlier partial outages amid escalating military tensions with Israel after days of missile strikes between the countries.

Further reading, from earlier this week: Iran Bans Officials From Using Internet-Connected Devices.

Facebook now supports passkeys for login, offering users a more secure, phishing-resistant alternative to passwords by using biometrics or a PIN stored on their device. The feature is rolling out to iOS and Android "soon," while Messenger will get the feature "in the coming months." Lifehacker reports: Meta seems pretty excited about the news -- and not just because the company happens to be a member of the FIDO Alliance, the organization that developed passkeys. Aside from logging into your Facebook account, Meta says you'll be able to use passkeys to autofill your payment info when buying things with Meta Pay. You'll also be able to use the same passkey between both Facebook and Messenger, and your passkey will act as a key to lock out your encrypted Messenger chats.