The San Francisco Police Department released hours of drone footage showing granular urban surveillance, while the City Attorney’s Office sent cease-and-desist letters to Apple and Google. The tech giants were ordered to remove 13 AI apps from their stores that swap faces to create nude images, primarily targeting women and girls.
In this article
Since WIRED first reported on Meta’s NameTag system in June, company executives have offered confusing statements about whether the feature exists. We have separated the claims from the facts regarding the actual system.
President Donald Trump continued to push unsubstantiated claims about interference in the 2020 US election during a speech on Thursday. He promised massive revelations from documents posted to the White House website, but the files did not prove his assertions and in some cases contradicted them.
Anthropic continues to push for US states to regulate AI as adoption grows. Cesar Fernandez, head of US state and local government relations at the company, told WIRED this week that transparency-focused safety bills in California and New York were an important start. He added that policy responses need to match the quick advance of AI system capabilities.
We round up security and privacy news each week. Click the headlines to read the full stories.
Mozilla Graded Period Trackers on Privacy. Only One Aced It
The astrology-themed period tracker Stardust sends users’ reproductive health details to a data firm not named in its privacy policy, according to the BBC. The audit was produced in partnership with Harvard’s Berkman Klein Center.
Stardust scored 2 out of 10, the worst of the group. Mozilla researcher Shoshana Wodinsky found the app pings third-party trackers from the moment it opens, before a user enters anything. The instant she logged a symptom, the details went to analytics firm RudderStack alongside a persistent user ID, with no in-app way to shut the sharing off. RudderStack is built to route data onward to destinations Mozilla could not observe. Stardust also hands Facebook an ad identifier that ties in-app behavior to the platform’s existing profiles. The company told TechCrunch it has never received a legal demand for user data.
Euki, a nonprofit-run tracker, earned a perfect 10: no account required, health data never leaves the phone, and users can set a PIN, schedule automatic deletion, or pull up a decoy screen if someone forces the phone open. Its one soft spot is an in-app browser for educational pages that loads the usual web trackers, but it also resets identifiers between visits.
Russia’s FSB Sanctioned for Cyberattack on Polish Infrastructure
Russia’s FSB has long had a reputation for highly sophisticated cyberespionage, leaving disruptive cyberattacks to its fellow hackers in the country’s GRU military intelligence agency. But sanctions from the EU and UK this week, along with an advisory from the US Cybersecurity and Infrastructure Security Agency, the FBI, and the NSA, pinned a cyberattack against the Polish electric grid on Center 16 of the FSB. This is a rare example of the Kremlin agency carrying out a cyberattack that nearly caused outages in the country’s electric and water utilities.
The attack, which the Polish government has said came “very close” to causing a blackout, was initially attributed by cybersecurity firms Dragos and ESET to Sandworm, also known as Unit 74455 of the GRU. This is a more usual suspect in infrastructure hacking given its active role in Russia’s long-running cyberwar against Ukraine. But the Polish computer emergency response team at the time disputed that finding and tied the attack to the FSB, a conclusion now supported by a wide consensus of Western governments. The incident suggests that the FSB may be taking on some of the reckless, highly aggressive tendencies—and targeting—of its GRU coworkers.
Obrevko has pleaded not guilty to the hacking charges. Kaspersky responded in a statement to Reuters that “the offenses charged cannot be related to the individual’s role or responsibilities during the employment at Kaspersky.”
A Real DHS Breach Was Twice Ruled a False Positive
DHS officials ruled—twice—that signs of a hacker breach in its data-sharing Homeland Security Information Network platform were false positives when they were, in fact, signs of a very real intrusion. HSIN, used for sharing unclassified data between state, local, and federal agencies, as well as foreign partners, was breached by hackers two months ago, according to reporting from Nextgov/FCW.
Analysts at the Federal Emergency Management Agency spotted signs of hacker activity in mid-May—altering files and code, hijacking a legitimate web server, and deleting logs of their behavior—but the findings were dismissed as a false positive. In the weeks that followed, the hackers returned, were again detected, and were again dismissed as a mirage. It is not clear why the signs of the breach were misjudged, but the incidents may represent federal analysts’ increasing challenges in detecting “living off the land” hacking techniques that use legitimate features of networks to access target assets on a network rather than planting more easily spotted malware. While the HSIN houses only unclassified data, the information is “highly sensitive,” Senate Intelligence Committee vice chair Mark Warner said in a statement following the report of the breach, and “its exposure risks national security.”
Hack Exposes an AI Music Generator’s Scraping Secrets
The AI music startup Suno scraped millions of songs, lyrics, and podcasts from YouTube Music, Deezer, Genius, and a string of stock-audio libraries to train its models, according to 404 Media, which reviewed internal data provided by a hacker who breached the company. The intrusion also exposed account information for hundreds of thousands of customers, including emails, phone numbers, and Stripe payment records.
Dataset notes in source code apparently from 2023 and 2024 tally 113,879 hours of YouTube Music audio alone, plus tens of thousands more from Pond5, Deezer, and other libraries—decades of music in total. Other files show Suno routing its YouTube scraping through Bright Data proxies and using PodcastIndex to target roughly 1 million hours of podcasts. The hacker, who goes by ellie.191, says they broke in by compromising an employee with the Shai-Hulud worm.
The files seemingly corroborate the record industry’s central allegation that Suno pulled songs directly from YouTube. The company, which argues that its training qualifies as fair use and settled with Warner Music Group last November, said the breach involved outdated code and no sensitive personal information—though customers whose data appeared in a sample shared with 404 Media said they were never notified.
What it means
For users of creative tools like Suno, the breach confirms that training data comes directly from scraped public sources rather than licensed libraries. This means creators cannot rely on the platform’s claims about fair use when their own work is used to train models without permission. The exposure of payment records also means customers should expect to monitor their accounts for fraud.




