Hacking the EU’s New Age-Verification App Can Be Done in Just 2 Minutes

Heading out for a major event at Madison Square Garden? Enjoy yourself—but consider this a cautionary note.

A recent WIRED investigation unveiled startling facts about the extensive surveillance measures implemented by MSG owner Jim Dolan and security chief John Eversole. Court documents and WIRED sources reveal that attendees at the Garden and other venues owned by Dolan have faced facial recognition, social media scrutiny, in-person monitoring, and more.

The US government’s warrantless wiretap authority faced a setback this week. Despite President Donald Trump pushing for a long-term renewal of the controversial Section 702 spy program, 20 Republican House members voted against a full reauthorization, compelling Speaker Mike Johnson to merely extend the program for another 10 days.

Meta’s Ray-Ban and Oakley AI smartglasses are encountering backlash—rightfully so. Over 70 civil society organizations, including the ACLU and the National Organization for Women, sent a letter to the company this week, urging it to halt any plans to implement facial recognition features in its AI glasses. These groups argue that adding facial recognition to devices that can covertly film will further diminish privacy and facilitate stalking, domestic abuse, and surveillance by federal agents.

Nonconsensual deepfake nudes have become a significant issue in schools worldwide, as indicated by an analysis from WIRED and Indicator. By monitoring publicly reported incidents of deepfake “nudify” technology targeting middle- and high-school girls, over 600 victims in 28 countries were identified.

You might assume that eradicating a $20 billion black market for scammers from your platform should be simple. But not for Telegram. A WIRED investigation uncovered that the messaging app continued to host Xinbi Guarantee despite the UK government designating it as a facilitator of human trafficking and sanctioning the largest online marketplace of its kind. Cryptocurrency tracing firm Elliptic reports that Xinbi executed another $505 million in transactions within 19 days following the UK’s sanction.

The AI race has now entered the security domain. Following Anthropic’s introduction of its new model, Mythos, as a distinct threat to existing security measures, OpenAI also announced a new cybersecurity strategy accompanied by a fresh model—GPT-5.4-Cyber.

That’s not all! Each week, we compile security and privacy news that didn’t receive in-depth coverage. Click the headlines for full articles, and stay safe out there.

The European Commission launched its free, open-source app this week to verify the ages of users visiting social networks and adult websites. At a press conference on Wednesday, European Commission President Ursula von der Leyen proclaimed that with this app’s launch, “there are no more excuses” for platforms failing to verify user ages. However, this was before experts discovered serious security flaws within the app.

According to Politico, security consultant Paul Moore claimed on X to have identified several vulnerabilities in the app, allowing him to hack it “in less than 2 minutes.” Issues include how the app allegedly stores a user-created PIN, which could enable an attacker to easily access that person’s profile. Whitehat hacker Baptiste Robert confirmed this vulnerability to Politico. Tagging von der Leyen in his post, Moore concluded, “This product will likely trigger a massive breach eventually. It’s just a matter of time.”

Europe’s largest fitness chain, Basic-Fit, reported a significant data breach on Monday, revealing that the bank details of approximately one million customers were compromised. Around 200,000 members in the Netherlands were affected alone. The stolen data includes bank information along with customers’ names, home and email addresses, phone numbers, and birth dates. A spokesperson informed The Register that members in Belgium, France, Germany, Luxembourg, and Spain were also impacted through a unified system tracking club visitations. No passwords, which Basic-Fit claims it does not store, were reportedly compromised.

On the same day, Booking.com, the global travel and hotel reservation giant, confirmed that hackers may have accessed customer data including names, email addresses, phone numbers, and booking details. The company informed TechCrunch that it detected “suspicious activity” and took measures to mitigate the situation. Company notifications from alleged customers on Reddit suggest a breach touching on “anything” users “might have shared with the accommodation.” TechCrunch noted that while Booking.com declined to specify the breach’s extent, it separately told The Guardian that no “financial information” was lost.

Bluesky’s website and app faced difficulties throughout Thursday, which the company confirmed was due to a distributed denial-of-service attack. Chief Operations Officer Rose Wang stated that the “sophisticated” attack commenced on April 15 at around 8:40 pm ET, resulting in intermittent issues across feeds, notifications, and search functions. The company reported no evidence of unauthorized user data access.

The disruptions impacted Bluesky’s infrastructure but spared communities like Blacksky that operate their own instances on the underlying AT Protocol. Blacksky informed TechCrunch of a marked increase in migration requests over the past 12 hours as users and competing ATmosphere operators suggest alternatives. By Friday afternoon, its status page indicated that the service was fully operational.

The Trump administration has been actively hiring. A press release from the Department of Homeland Security in January indicated that ICE hired over 12,000 officers and agents within a year. As part of their application processes, immigration officers are required to undergo thorough background checks examining everything from past arrests to debt histories and foreign interactions over the preceding seven years. The Associated Press conducted its own background checks on 40 ICE agents, uncovering three who had faced lawsuits due to alleged misconduct in prior law enforcement roles, and several who reportedly had unresolved debts. DHS did not comment on specific hiring decisions but acknowledged to the AP that it had provided some candidates with “temporary selection letters” and job offers before fully finishing their background checks.

The Russian cryptocurrency exchange Grinex, which has been reported to assist Russia in evading sanctions, abruptly declared on Thursday that it would be halting operations following a breach that it claims enabled a hacker to steal funds worth over a billion rubles, approximately $13 million. In its social media announcements, Grinex blamed the “special services” of a foreign nation, asserting that the “digital traces and nature of the attack indicated an unprecedented level of resources and technologies available exclusively to hostile foreign entities,” appearing aimed at “inflicting damage on Russia’s financial sovereignty.” Grinex, previously sanctioned by US financial authorities, was seen as a successor to Garantex, another Russian exchange that faced sanctions for alleged financial crimes. According to crypto-tracing firm Elliptic, Grinex is likely operated by the same owners and inherited Garantex’s assets and customers. Grinex did not provide evidence to substantiate its claims that state-sponsored hackers orchestrated the theft.