Your Menstrual Tracker Might Be Monitoring You Without Your Knowledge
San Francisco Police Department drone footage, now available on the open web, highlights a new chapter in comprehensive urban surveillance. Meanwhile, this week, the San Francisco City Attorney’s Office issued cease-and-desist letters to Apple and Google, demanding the removal of 13 AI nudifying “face-swap” applications from their app stores, predominantly targeting women and girls.
Since a WIRED report in June regarding Meta’s NameTag face-recognition technology, executives have provided vague and inconsistent statements about its existence. We have taken the time to clarify both the assertions and the realities surrounding this tangible system.
In a speech on Thursday, President Donald Trump reiterated unfounded and thoroughly discredited claims regarding interference in the 2020 US election. He promised major revelations in a batch of documents posted on the White House website, but the files failed to substantiate his claims, and in certain instances, directly contradicted them.
As the integration of AI tools accelerates and their functionalities expand, tech company Anthropic is advocating for US states to implement AI regulations. Discussing AI transparency policies in California and New York from last year, Anthropic’s head of US state and local government relations, Cesar Fernandez, told WIRED this week, “The transparency-focused safety bills of 2025 were a crucial starting point, but as the capabilities of AI systems progress swiftly, policy responses need to evolve accordingly.”
Furthermore, we compile weekly updates on the security and privacy news that we haven’t detailed ourselves. Click the headlines to access the complete stories. And remember to stay safe out there.
The astrology-themed period tracker Stardust reportedly sends users’ reproductive health information—including birth control type, pregnancy status, moods, and symptoms like tender breasts and stomach cramps—to an unnamed data firm, according to a BBC report about a Mozilla Foundation audit of six popular trackers conducted in collaboration with Harvard’s Berkman Klein Center.
Stardust received a score of 2 out of 10, the lowest among the trackers reviewed. Mozilla researcher Shoshana Wodinsky discovered that the app communicates with third-party trackers immediately upon opening, before the user has entered any information. As soon as she logged a symptom, the details were sent to analytics company RudderStack along with a persistent user ID, without any in-app option to disable sharing. RudderStack is designed to forward data to destinations that Mozilla could not monitor. Furthermore, Stardust provides Facebook with an ad identifier that links in-app activities to existing profiles on the platform. The company informed TechCrunch that it has never received a legal request for user data.
In contrast, Euki, a nonprofit-operated tracker, achieved a perfect score of 10: no account needed, health data remains on the phone, and users can set a PIN, schedule automatic deletions, or bring up a decoy screen if someone attempts to access the phone against their will. Its only vulnerability is that its in-app browser for educational pages loads standard web trackers, although it does reset identifiers with each visit.
Historically recognized for its advanced cyberespionage, Russia’s FSB has typically left disruptive cyberattacks to the country’s GRU military intelligence agency. However, recent sanctions from the EU and UK, along with advisories from the US Cybersecurity and Infrastructure Security Agency, the FBI, and the NSA, have linked a cyberattack on the Polish electric grid to Center 16 of the FSB. This incident marks a rare occasion of the Kremlin agency itself executing an attack that nearly resulted in outages for Poland’s electric and water utilities. The Polish government has stated that the attack came “very close” to causing a blackout; initially, cybersecurity firms Dragos and ESET attributed it to Sandworm, a unit of the GRU typically associated with infrastructure hacking due to its active involvement in Russia’s prolonged cyberwar against Ukraine. However, the Polish computer emergency response team disputed this attribution and connected the attack to the FSB, a conclusion now supported by a broad consensus among Western governments. This incident implies that the FSB might be adopting some of the reckless and highly aggressive strategies typical of its GRU counterparts.
For years, the Russian cybersecurity firm Kaspersky has faced allegations of ties to the Russian government, leading US officials to ban the use of its products by the US government and eventually from all American customers. Overt evidence of these connections has been sparse until now. Reuters has reported that Denis Obrezko, a Russian national facing hacking charges in Boston and a suspected member of a hacker group named Void Blizzard or Laundry Bear, worked at Kaspersky for two years. His employment there coincided with his later tenure at another cybersecurity firm, Yutek-NN, where he is accused of participating in a hacking campaign that targeted various NATO governments and at least 11 US companies, as per US prosecutors. Before his stint at Kaspersky, Obrevko allegedly worked with the FSB, framing his time there with apparent service for Russia’s intelligence agencies.
Obrevko has pleaded not guilty to the hacking allegations. Kaspersky released a statement to Reuters asserting that “the offenses charged cannot be related to the individual’s role or responsibilities during the employment at Kaspersky.”
In a situation that will alarm anyone involved in monitoring suspicious network activity, DHS officials have ruled—twice—that signs of a hacker breach in its data-sharing Homeland Security Information Network platform were false positives, when in fact, they signified a genuine intrusion. Two months ago, HSIN, which facilitates sharing unclassified data between state, local, and federal agencies as well as foreign partners, was compromised by hackers, as reported by Nextgov/FCW. Analysts at the Federal Emergency Management Agency detected hacker activity in mid-May that included file alterations, code modification, hijacking a legitimate web server, and deleting logs of their actions, yet these findings were dismissed as false positives.
Following these initial detections, the hackers returned, were once again identified, and again misidentified as a mirage. The reason behind the misjudgment of the breach indications remains unclear, but the incidents may reflect growing challenges for federal analysts in detecting “living off the land” hacking techniques that exploit legitimate network features to gain access to targeted assets rather than deploying more easily identified malware. Despite HSIN housing only unclassified data, the information it contains is “highly sensitive,” as noted by Senate Intelligence Committee vice chair Mark Warner in a statement following the breach report, and “its exposure risks national security.”
The AI music startup Suno allegedly scraped millions of songs, lyrics, and podcasts from YouTube Music, Deezer, Genius, and other stock-audio libraries to train its models, according to 404 Media, which reviewed internal data provided by a hacker who infiltrated the company. This breach also exposed account information for hundreds of thousands of customers, including emails, phone numbers, and Stripe payment details.
Notes found in source code, apparently from 2023 and 2024, indicate that 113,879 hours of YouTube Music audio were tallied, alongside tens of thousands more from Pond5, Deezer, and other libraries—totaling decades of music. Additional files reveal that Suno routed its YouTube scraping through Bright Data proxies and targeted approximately 1 million hours of podcasts via PodcastIndex. The hacker, identified as ellie.191, claims to have accessed the company through a compromised employee with the Shai-Hulud worm.
The files seem to support the record industry’s main allegation that Suno obtained songs directly from YouTube. The company, which argues that its training constitutes fair use and reached a settlement with Warner Music Group last November, stated that the breach involved outdated code and did not compromise sensitive personal information—although customers whose data appeared in a sample shared with 404 Media reported that they had not been notified.
