Independent website 404 Media first revealed that in 2024 Telegram has fulfilled more than a dozen law enforcement data requests from the U.S. authorities.
The social media platform “potentially revealed” that it has shared the IP addresses or phone numbers of over 100 users with law enforcement.
In the past, Telegram claimed that it has never supported law enforcement investigations, however recently it has updated its with authorities.
At the end of September, Telegram updated its privacy policy informing users that it will share users’ phone numbers and IP addresses with law enforcement in response to valid legal requests.
The company CEO announced the policy update. Telegram will comply with requests from law enforcement if the user under investigation is found to be violating the platform’s rules.
“If Telegram receives a valid order from the relevant judicial authorities that confirms you’re a suspect in a case involving criminal activities that violate the Telegram Terms of Service, we will perform a legal analysis of the request and may disclose your IP address and phone number to the relevant authorities. If any data is shared, we will include such occurrences in a quarterly transparency report published at: https://t.me/transparency.” .
In a message on its Telegram Channel, Durov revealed that over the last few weeks, a dedicated team of moderators, leveraging AI, has worked on its platform to identify and remove problematic content from the app.
The company announced that data shared with authorities will be disclosed in the company’s quarterly transparency reports, accessible via a .
According to the “Transparency report for the period 01.01.24–30.09.24,” the number of “Fulfilled requests from the United States of America for IP address and/or phone number: 14. Affected users: 108.” Some data requests, likely occurred before Telegram’s CEO was .
“For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3.” Durov wrote on his Telegram channel. “In Europe, there was an uptick in the number of valid legal requests we received in Q3. This increase was caused by the fact that more EU authorities started to use the correct communication line for their requests, the one mandated by the EU DSA law. Information about this contact point has been publicly available to anyone who viewed the Telegram website or googled “Telegram EU address for law enforcement” since early 2024.”
Despite 404 Media report, at the time of this writing, I’m not able to retrieve the report from the bot.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Telegram)
]]>The Tor Project and Tails have merged operations to enhance collaboration and expand training, outreach, and strengthen both organizations’ efforts to protect users globally from digital surveillance and censorship. The two organizations aim to better counter growing digital threats, and the merger between them will enhance protections for users needing both network and system-level security.
In late 2023, Tails proposed merging operations with Tor Project to expand its operational capacity and build a larger and established operational framework.
“By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.” reads the published by Tails. “This solution is a natural outcome of the Tor Project and Tails’ shared history of collaboration and solidarity.”
The two organizations have a ‘long-standing collaboration’ and their developers have worked closely together.
“Running Tails as an independent project for 15 years has been a huge effort, but not for the reasons you might expect. The toughest part wasn’t the tech–it was handling critical tasks like fundraising, finances, and HR. After trying to manage those in different ways, I’m really relieved that Tails is now under the Tor Project’s wing. In a way, it feels like coming home.” said intrigeri, Team Lead Tails OS, The Tor Project.
Tor and Tails could provide complementary privacy protections anonymizing online activity using the Tor browser and providing a secure OS like Tails. Together, they offer a comprehensive solution for users facing surveillance or seeking access to the open web.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, )
]]>Privacy non-profit None Of Your Business (noyb) has filed a complaint with Austria’s data protection authority (DSB) against Mozilla for enabling the privacy feature in Firefox without user consent. Noyb claims that PPA doesn’t prevent Firefox from tracking user behavior, shifting control of tracking from websites to the browser itself.
“Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites. In essence, the browser is now controlling the tracking, rather than individual websites.” states noyb. “While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update.”
noyb pointed out that a recent Firefox update quietly enabled the “Privacy Preserving Attribution” (PPA) feature.
The non-profit organization claims that the feature allows websites to request Firefox to store information about users’ ad interactions, which is then shared in a bundled form, without using traditional tracking cookies. Mozilla never asked for informed consent from its users.
The feature is an experimental feature shipped in Firefox 128 to enhances user privacy by measuring ad performance without collecting personal data. However, noyb discovered that Firefox track users’ activity, potentially violating user rights under the EU’s GDPR. Rather than replacing cookies, this feature adds another method for websites to target ads. Noyb’s data protection lawyer, Felix Mikolasch, suggests that Mozilla has adopted the advertising industry’s view on tracking, turning Firefox into an ad measurement tool, despite good intentions.
“Mozilla has just bought into the narrative that the advertising industry has a right to track users by turning Firefox into an ad measurement tool. While Mozilla may have had good intentions, it is very unlikely that ‘privacy preserving attribution’ will replace cookies and other tracking tools. It is just a new, additional means of tracking users.” said Mikolasch.
noyb states that enabling PPA feature by default without informing users or seeking their consent violates their privacy. The organization highlights that the tracking feature is not mentioned in Mozilla’s data protection policies, and users can only disable it by navigating to a hidden opt-out option in the browser’s settings. A Mozilla developer explained the decision, arguing that users cannot make an informed choice about the feature.
“It’s a shame that an organisation like Mozilla believes that users are too dumb to say yes or no. Users should be able to make a choice and the feature should have been turned off by default.” concluded Mikolasch.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, )
]]>Singaporean crypto platform BingX reported a cyberattack on Friday. Threat actors stole over $44 million worth of cryptocurrency. The crypto platform discovered unauthorized transfers of funds on Thursday night, shortly before BingX announced a shutdown for “wallet maintenance” on social media.
In a post, the company said it detected abnormal network activity on September 20, 2024, at around 04:00 (UTC+8), indicating a potential hack targeting their hot wallet. BingX immediately responded to the incident, secured its asset transferring to a cold wallet and temporarily suspended the withdrawals. While there was a minor asset loss, the exact amount is still being calculated.
“On 2024-09-20 at around 04:00 (UTC+8), our technical team detected abnormal network access, potentially indicating a hacker attack on BingX’s hot wallet. We immediately implemented emergency measures, including urgent transfer of assets and a temporary suspension of withdrawals. There has been minor asset loss, but the amount is small and is currently being calculated.” the company.
“To safeguard user assets, we have always used a tiered asset management system. The majority of assets are stored in cold wallets, while only a small amount is kept in hot wallets to meet withdrawal demands. The crediting time for deposits and withdrawals will be extended as we conduct urgent inspections and strengthen our wallet services to ensure asset security. We sincerely apologize for any inconvenience caused. Withdrawals will be processed within 24 hours.”
The company investigated the incident with the help of blockchain security firm SlowMist and determined that hackers stole more than $47M worth of crypto cryptocurrency.
BingX chief product officer Vivien Lin wrote on X that the incident did not disrupt operations and remarked that the company covered the losses with its reserves.
Law enforcement agencies have stepped up their efforts to protect cryptocurrency users. On Thursday the Justice Department announced that it arrested two people this week for their role in from a cryptocurrency owner in Washington, D.C.
In the first half of 2024, the amount of cryptocurrency stolen in hacks more than doubled compared to the same period in 2023, largely due to a few large attacks and rising crypto prices, . By June 24, 2024, over $1.38 billion worth of crypto had been stolen, up from $657 million the previous year. Additionally, the median theft size increased by one-and-a-half times from 2023.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, cybercrime)
]]>The U.S. DoJ arrested two people, Malone Lam (20) (aka “Greavys,” “Anne Hathaway,” and “$$$”) and Jeandiel Serrano (21) (aka “Box,” “VersaceGod,” and “@SkidStar”) in Miami and charged them with stealing more than $230 million worth of cryptocurrency.
The duo attempted to launder the stolen cryptocurrency through crypto exchanges and mixing services.
“According in the indictment, since at least August 2024, Lam, Serrano, and others conspired to carry out cryptocurrency thefts and to launder the stolen crypto currency through exchanges and mixing services. The conspirators would fraudulently gain access to victim cryptocurrency accounts and then transfer victim funds into their possession.” reads the DoJ’s . “They laundered the proceeds, including by moving the funds through various mixers and exchanges using “peel chains,” pass-through wallets, and virtual private networks (VPNs) to mask their true identities.”
According to court documents, on August 18, the two men stole more than 4,100 Bitcoin (worth $230 million at the time) from a victim in Washington, D.C..
Lam and Serrano allegedly used the laundered cryptocurrency proceeds to fund international travel, buy luxury cars, watches, jewelry, designer handbags, and rent homes in Los Angeles and Miami.
Lam, Serrano, and others allegedly hacked victims’ cryptocurrency accounts, transferring the stolen funds to wallets under their control. Then laundered the stolen funds through various mixers and exchanges using “peel chains,” pass-through wallets, and virtual private networks (VPNs) to mask their true identities.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, US DoJ)
]]>In the digital world, trust is essential for the relationships between brands and consumers. However, trust is not a once-off exercise; it’s a continuous process in which each interaction helps build and nurture loyalty over time. This is why it’s crucial to understand the factors contributing to trust, particularly how online brands manage consumers’ personal data.
There are several reasons why consumers refuse to consent to their data being shared in the first place. These include a lack of understanding of the destination and purpose of their data and uncertainty about the consequences of sharing their data. Conversely, users are more likely to consent to their data being collected when they feel they have decision , when confident their data will not be sold to the highest bidder, and when they are sure intrusive communications won’t spam them.
A on digital trust explores the complex dynamics of trust, focusing on user experience, security, and data privacy. In today’s digital landscape, consumers seek transparency, control, and respect for privacy. The report provides insights into factors influencing user consent for data collection and usage and reasons for consumer disengagement.
While there may be widespread concerns regarding information sharing, the report revealed that most users (89%) are willing to grant consent for organizations to utilize their data. However, this willingness comes with conditions. Users want to enjoy personalized experiences yet still safeguard their privacy rights. For businesses, this balance rests on the principle of user empowerment, where individuals retain control over the extent and purpose of data sharing.
The survey also found that nearly one-third (32%) of consumers will only share necessary information, indicating that organizations should only collect and store data essential for specific purposes. Additionally, a similar number (30%) expect to be able to select which data they share. Consumers want detailed control over their information and the flexibility to adjust their consent based on various factors, such as the context of the interaction or perceived risks of data misuse.
Companies must navigate the challenge of providing personalization while ensuring privacy protection. While leveraging data-driven insights allows brands to offer tailored experiences, respecting user preferences for selective sharing is crucial for maintaining trust and fostering lasting relationships.
Another cornerstone of trust is transparency. Consumers are increasingly aware of the value of their personal information and demand clarity on how it’s collected, used, and protected by companies. This transparency is more than a courtesy; it’s a fundamental right that empowers users to make informed decisions about their data.
of US consumers showed that two-thirds (66%) of respondents said they would gain trust in a company if it were transparent about how it uses their personal data. More than half (55%) claimed that reducing unnecessary data collection was an additional factor that would help them gain trust in a company or brand.
Today’s consumers also expect to be informed about data collection practices. The Thales research showed that more than half (55%) demand to know when and how their data is collected, whether through website cookies, user accounts, or other tracking mechanisms.
To align with these expectations, brands should adopt modern CIAM platforms that embed consent into the user journey through forms and actions. A conversational approach to onboarding is becoming a cornerstone for a reliable customer experience, and asking for consent explicitly and clearly is critical. Businesses that are ahead of the curve deploy “Progressive Profiling” techniques that do not overwhelm the customer during the user journey yet ask all the key questions at the right time while establishing the user as a customer. Moreover, businesses should allow users to access, review, and update their data preferences.
Equally important is the consumer’s “right to erasure,” with 53% expressing a desire to have their data deleted upon request. This right is protected by privacy regulations like the EU’s GDPR and Brazil’s LGPD, and it lets users maintain control over their personal information, ensuring that organizations cannot indefinitely retain data without consent or justification.
Other regulations have similar stipulations, like California’s CCPA and the expanded CPRA, which allows consumers to request the deletion of personal information collected from them directly by the business. Also, in the US, ARPA seeks to establish fundamental data privacy rights for citizens, with strong oversight and enforcement mechanisms. In South Africa, POPIA states that personal data may only be stored or used to the extent it is adequate, relevant, and not excessive in relation to its purpose. It enables consumers to request responsible parties to correct or delete personal information or records. However, it does not explicitly grant a “right to be forgotten.”
In the digital arena, the stakes are high, with consumers ready to sever ties with brands that fail to meet their expectations. The reasons that consumers abandon brands range from excessive data demands (29%) to subpar online support (27%) and concerns over data misuse (26%). This highlights the fine line businesses must tread between data collection, user experience, and security to retain customer loyalty.
revealed that Trust needs to be built continually and that companies must act quickly and decisively in the event of a crisis. “Consumers will take action if trust is broken, such as warn friends and family to avoid the company or stop doing business with the company if they find a product or service error from a company that they have been doing business with for a long time,” the analysts said.
Consumer expectations also vary across sectors and are influenced by industry norms and the nature of the service. For instance, according to the Digital Trust Index, some users (27%) base their consent on the sector or service type. In comparison, nearly a quarter (24%) rely on meticulously reading terms and conditions before consenting, stressing the importance of clear and accessible legal documentation.
There’s no doubt that trust is critical to the success of any organization. highlighted how the need for trust is on the rise, with 71% of respondents claiming it is more important to trust the brands they buy/use today than in the past.
Trust and user experience are closely linked in the digital landscape, with data collection as an indicator of brand integrity. Companies must carefully balance security, privacy, and user experience to gain and keep consumer trust. The digital world presents opportunities and challenges for brands wanting to build trust with their audience.
By emphasizing transparency, giving users control, and providing exceptional experiences, brands can establish solid connections and enhance customer lifetime value. Ultimately, in digital trust, every interaction plays a significant role in shaping brand-consumer relationships, one step at a time.
About the author : Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centers. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. She is also a regular writer at .
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, data usage)
]]>The Dutch Data Protection Authority (DPA) has fined Uber €290 million ($324 million) for allegedly failing to comply with the EU data protection regulation GPDR when transferring the personal data of European taxi drivers to the U.S.
“The Dutch Data Protection Authority (DPA) imposes a fine of 290 million euros on Uber. The Dutch DPA found that Uber transferred personal data of European taxi drivers to the United States (US) and failed to appropriately safeguard the data with regard to these transfers. According to the Dutch DPA, this constitutes a serious violation of the General Data Protection Regulation (GDPR). In the meantime, Uber has ended the violation.” reads the press release published by the Dutch Data Protection Authority.
Aleid Wolfsen, the chairman of the Dutch DPA, emphasized that the GDPR is designed to protect people’s fundamental rights by ensuring that businesses and governments handle personal data responsibly. Businesses must take extra precautions when storing Europeans’ personal data outside the EU. Wolfsen criticized Uber for failing to meet GDPR requirements in protecting data transferred to the U.S., calling the violation “very serious.”
The Dutch DPA launched an investigation into Uber after over 170 French drivers filed complaints with the Ligue des droits de l’Homme (LDH), which then reported the issue to the French DPA. The Dutch DPA investigated in close cooperation with the French DPA and coordinated the decision with other European DPAs.
The Dutch Data Protection Authority (DPA) determined that Uber collected sensitive information from European drivers and stored it on servers in the U.S. for over two years without using proper data transfer tools. The collected data included account details, location data, payment information, and even criminal and medical records. After the EU-US Privacy Shield was invalidated in 2020, the use of Standard Contractual Clauses was required to ensure equivalent data protection. However, Uber stopped using these clauses in August 2021, leaving the data insufficiently protected until it adopted the Privacy Shield’s successor at the end of last year.
“All DPAs in Europe calculate the amount of fines for businesses in the same manner. Those fines amount to a maximum of 4% of the worldwide annual turnover of a business. Uber had a worldwide turnover of around 34.5 billion euro in 2023. Uber has indicated its intent to object to the fine.” concludes the press release. “This is the third fine that the Dutch DPA imposes on Uber. The Dutch DPA imposed a fine of 600,000 euro on Uber in 2018, and a fine of 10 million euro in 2023. Uber has objected to this last fine.”
The company refuses any accusation and claims that its data transfer process is compliant with European laws. The company will appeal against the decision, its spokesman Caspar Nixon Bloomberg.
The fine is “completely unjustified,” said Caspar Nixon.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, DPA)
]]>
The cryptocurrency portfolio management and tracking platform CoinStats suffered a massive security breach. Alleged North Korea threat actors have compromised 1,590 cryptocurrency wallets.
CoinStats allows users to monitor their cryptocurrency holdings across various exchanges and wallets in a single platform. The incident only impacted the users who hosted their wallets on CoinStats.
To mitigate the incident, the platform temporarily shut down the application.
The company explained that only 1.3% of all hosted wallets were compromised by the attackers.
The investigation is still ongoing and the number of impacted wallets could increase, but the company states that they don’t expect significant changes.
In a message published on X, the company shared a .
The company shared a list of impacted wallets on , but some that funds were stolen from wallets that were not on this list. Therefore, the actual scope of the incident might be more significant than what CoinStats has verified.
The CEO of the company announced on X that they possess significant evidence indicating a North Korea-linked APT group conducted the attack.
North Korea-linked APT groups are known for .
At this time, it’s unclear if the attackers have stolen users’ funds.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, cryptocurrency)
]]>The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised among cybersecurity experts because it scans and saves periodic screenshots of the computer screen, potentially exposing sensitive data, like passwords or financial information.
Microsoft attempted to downplay the risks for the users, the company pointed out that an attacker would need physical access to obtain data collected by the Recall tool.
However, multiple researchers have demonstrated that a malicious code could steal data collected by the Recall feature.
The popular cybersecurity expert explained that an attacker can gain remote access to a device running Recall using a malware.
“When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.” reads a published by Beaumont. “For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall.”
Microsoft pointed out that information captured by their tool is highly encrypted and nobody can access them, but Beaumont said it is false and published a video of two Microsoft engineers accessing the folder containing the images.
The cybersecurity researcher Alex Hagenah has released a PoC tool, named that can automatically extract and display the snapshots captured by Recall on a laptop and saved into its database.
“The database is unencrypted. It’s all plain text,” Hagenah says.” .
“Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.” “Here’s where you can find them:
C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}
The images are all stored in the following subfolder
.\ImageStore\
The IT researcher Marc-André Moreau explained that an info-stealing malware can easily steal temporarily visible passwords from Remote Desktop Manager, which are captured by the Recall tool, from a local SQLite database.
While Recall remains as a “preview” feature and, according to Microsoft’s , could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” concludes Wired.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, AI)
]]>
Check Point released hotfixes to address a VPN zero-day vulnerability, tracked as , which is actively being exploited in attacks in the wild.
The vulnerability CVE-2024-24919 is a Quantum Gateway information disclosure issue. Threat actors exploited the flaw to gain remote firewall access and breach corporate networks.
The issue impacts CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, Quantum Spark Appliances. Impacted versions are R80.20.x, R80.20SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, and R81.20.
Early this week, the security firm warned of a surge in attacks aimed at VPN solutions.
“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers. By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method,” .
“We have recently witnessed compromised VPN solutions, including various cyber security vendors. In light of these events, we have been monitoring attempts to gain unauthorized access to VPNs of Check Point’s customers.” reads the initial published by the vendor.
“By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method.”
The company started investigating the attacks by assembling special teams of Incident Response, Research, Technical Services and Products professionals. The experts found within 24 hours a few potential customers which were attacked.
On May 28, the experts discovered how attackers were targeing its customers and released a for Check Point Network Security gateways.
“The vulnerability potentially allows an attacker to read certain information on Internet-connected Gateways with remote access VPN or mobile access enabled. The attempts we’ve seen so far, as previously alerted on May 27, focus on remote access scenarios with old local accounts with unrecommended password-only authentication.” reads an update to the initial advisory. “Within a few hours of this development, Check Point released an that prevents attempts to exploit this vulnerability. To stay secure, customers should follow these to deploy the provided solution.”
The company also released hotfixes that address the flaw in end-of-life (EOL) versions.
Check Point set up to provide information about CVE-2024-24919, such as what customers should do if they suspect unauthorized access attempts.
Follow me on Twitter: and and Mastodon
(SecurityAffairs – hacking, Check Point VPN zero-day)
]]>