Hours of San Francisco Police Department Drone video footage revealed on the open web ushers in a new era of incredibly granular—and consequential—urban monitoring. Meanwhile, the San Francisco City Attorney’s Office sent cease-and-desist letters to Apple and Google this week demanding Tech giants release 13 nude AI “face-swapping” apps from their app stores which are almost exclusively used to target women and girls.
Since WIRED first reported in June about Meta’s NameTag facial recognition system, company executives have offered vague and conflicting comments about whether the feature exists. We took a step back keep claims and facts about the actual system.
In a speech on Thursday, President Donald Trump continued to push claims that have not been proven and have been completely denied about interference in the 2020 US election. He even promised major disclosures in a series of documents posted on the White House website, but the files did not support his claims—and in some cases actually contradicted Trump’s claims.
As the use of AI tools rapidly expands and their capabilities increase, the tech giant Anthropic continued the push to get US states to control AI. Speaking about AI transparency requirements in California and New York starting last year, Anthropic’s head of US government and local government relations, Cesar Fernandez, told WIRED this week, “The 2025 transparency-focused security bills were a very important start, but the capabilities of AI systems continue to advance rapidly — policy responses need to keep pace.”
And there is more. Each week, we round up security and privacy news that we didn’t cover in depth ourselves. Click on the headlines to read the full story. And stay safe out there.
Astrology period tracker Stardust sends users’ reproductive health information—type of birth control, pregnancy status, mood and specific symptoms like tender breasts and abdominal pain—to a data company that isn’t named in its privacy policy, according to the BBCwhich first reported the Mozilla Foundation’s review of six popular trackers produced in collaboration with Harvard’s Berkman Klein Center.
Stardust scored 2 out of 10worst of the bunch. Mozilla researcher Shoshana Wodinsky found the app tracks third-party trackers from the moment it’s opened, before the user enters anything; once he got the signal, the information went to the analytics company RudderStack along with a persistent user ID, with no in-app way to disable sharing. RudderStack is designed to route data to places Mozilla couldn’t see. Stardust also assigns Facebook an ad identifier that links in-app behavior to existing platform profiles. That company he told TechCrunch has never received a legal request for user data.
Euki, a non-profit organization tracker, got a perfect 10: no account required, health data never leaves the phone, and users can set a PIN, schedule an automatic wipe, or pull a cheat screen if someone force unlocks the phone. Its soft spot is an in-app browser for educational pages that loads standard web trackers, but also resets credentials between visits.
Russia’s FSB has long had a reputation for sophisticated cyber espionage, leaving cyber attacks to their fellow hackers in the country’s military intelligence agency GRU. But sanctions from the EU and Britain this week, along with advice from the US Cybersecurity and Infrastructure Agency, the FBI, and the NSA, put a cyber attack on Poland’s power grid at FSB Station 16, a rare example of a Kremlin agent carrying out a cyber attack that nearly cut off the country’s water supply. The attack, which the Polish government said was “very close” to causing the blackout, was initially linked to cyber security firms Dragos and ESET. Sandalso known as the GRU’s Unit 74455, the most common suspect in infrastructure hacking due to its large role in Russia’s long-running cyber war against Ukraine. But the Polish computer emergency response team at the time argued that the search and closure of the attack was to the FSB, a conclusion that is now supported by the broad consensus of Western governments. The incident suggests that the FSB may have adopted some of the reckless, aggressive tendencies of—and targeted—GRU colleagues.
For years, the Russian cyber security company Kaspersky has been accused of having ties to the Russian government, including by US officials who banned the use of the company’s products within the US government and eventually all US customers. Yet clear evidence of such connections has been scarce. Now Reuters is reporting that Denis Obrezko, the Russian man facing hacking charges in Boston and alleged member of the hacker group known as Void Blizzard or Laundry Bear, spent two years working at Kaspersky. His tenure at the company came just before he joined another cybersecurity firm, Yutek-NN, where he allegedly participated in the group’s hacking campaign that stole data and communications from multiple NATO governments and at least 11 U.S. companies, according to U.S. prosecutors. Before Kaspersky, Obrevko also allegedly worked for the FSB, carefully balancing his time at the company with visible work for Russia’s intelligence services.
Obrevko has denied the hacking charges. Kaspersky responded in a statement to Reuters that “the alleged offenses cannot be attributed to the person’s role or duties during employment at Kaspersky.”
In an event that will raise concerns for anyone involved in evaluating suspicious cyber activity, DHS officials determined—twice—that signs of a hacker breach in its National Security Intelligence Network data-sharing platform were false positives when, in fact, they were signs of a real intrusion. The HSIN, used to share declassified data between state, local and federal agencies, as well as foreign partners, was breached by hackers two months ago, according to a report from Nextgov/FCW. Analysts at the Federal Emergency Management Agency saw signs of hacker activity in mid-May—altering files and code, hijacking legitimate web servers, and deleting logs of their behavior—but the results were dismissed as false positives.
In the weeks that followed, the hackers returned, were discovered again, and were once again dismissed as mirages. It’s not clear why the symptoms of the breach were misjudged, but the incidents may represent the increasing challenges federal analysts have in detecting “survival” hacking techniques that use legitimate network components to access targeted assets on the Internet rather than planting more easily visible malware. Although the HSIN contains only declassified data, the information is “extremely sensitive,” Senate Intelligence Committee vice chairman Mark Warner said in a statement following the breach report, and “its disclosure poses a national security risk.”
AI music startup Suno scraped millions of songs, lyrics and podcasts from YouTube Music, Deezer, Genius, and an array of audio libraries to train its models, according to 404 Media, which reviewed internal data provided by the hacker who breached the company. The hack also exposed account information for hundreds of thousands of customers, including email addresses, phone numbers and Stripe payment records.
The dataset notes in the source code it appears from 2023 and 2024 total 113,879 hours of YouTube Music audio alone, plus tens of thousands more from Pond5, Deezer and other libraries—several decades of music in total. Other files show Suno routing its YouTube through Bright Data proxies and using PodcastIndex to target about 1 million hours of podcasts. The hacker, who goes by ellie.191, says they got in by infecting the worker with the Shai-Hulud bug.
The files appear to confirm the record industry’s main claim that Suno pulled songs directly from YouTube. The company, which argues that its training qualifies as fair use and was settled by Warner Music Group last November, said the breach involved outdated protocols and no sensitive personal information—although customers whose data appeared in the sample shared with 404 Media said they were never notified.




