A WIRED investigation this week revealed new details about the private surveillance state set up by MSG owner Jim Dolan and his security chief, John Eversole. According to court records and WIRED sources, visitors to the Garden and some other Dolan-owned venues have been subjected to facial recognition, social media monitoring, personal surveillance and more.
The US government’s warrantless wiretap powers were disrupted this week. Despite President Donald Trump’s push for a long-term reauthorization of the so-called Section 702 spying program, 20 Republican lawmakers in the House of Representatives voted against a full reauthorization, leading Speaker Mike Johnson to extend the program for only an additional 10 days.
Meta’s Ray-Ban and Oakley AI smartglasses have an image problem — with good reason. More than 70 civil society groups, including the ACLU and the National Organization for Women, sent a letter to the company this week demanding that it drop any plans to equip its AI glasses with facial-recognition features. The groups argue that incorporating facial recognition into wearable devices, which can already covertly record video of people, would further erode any semblance of privacy and potentially facilitate stalkers, domestic abusers, and federal agents.
Non-consensual deepfake nudes are a scourge in schools around the world, according to an analysis by WIRED and Indicator. By tracking publicly reported incidents of deepfake “Nudify” technology used against middle- and high-school-aged girls, we were able to identify more than 600 victims in 28 countries around the world.
You might think that banning a $20 billion black market for scammers from your platform would be no easy task. But not if you are Telegram. A WIRED investigation found that the messaging app continued hosting Zinbi Guarantee despite the UK government declaring it a facilitator of human trafficking and sanctioning the largest ever online marketplace of its kind. Crypto-tracing firm Elliptic says Shinobi processed $505 million of transactions in the 19 days after the UK issued the sanction.
The AI race has finally entered the cyber security arena. After Anthropic revealed its new model, Mythos, as a unique risk to the security status quo, OpenAI announced that it too has a new cybersecurity strategy, and a new model to go with it—GPT-5.4-Cyber.
Not only this! Each week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on titles to read full stories. And stay safe there.
The European Commission this week released its own free, open source app to verify the age of visitors to social networks and pornography websites. At a press conference on Wednesday, European Commission President Ursula von der Leyen announced that, with the release of the app, there is “no more excuse” for platforms that fail to check the age of users. However, that was before experts found the app a security disaster.
As reported by Politico, security consultant Paul Moore on The issues include how the app reportedly stores user-created PINs which could allow an attacker to easily take over that person’s app profile. (Baptiste Robert, a whitehat hacker, confirmed the vulnerability to Politico.) Tagging von der Leyen in his post, Moore concluded, “This product will be the catalyst for a major breach at some point. It’s just a matter of time.”
Basic-Fit, Europe’s largest gym chain, confirmed a major data breach on Monday that revealed the bank details of nearly one million customers were compromised. About 200,000 members were affected in the Netherlands alone. The stolen data included customers’ names, home and email addresses, phone numbers and bank details along with dates of birth. A spokesperson told The Register that members in Belgium, France, Germany, Luxembourg and Spain were similarly affected through the same system that records members’ visits to clubs. None of the passwords were reportedly compromised, which Basic-Fit says it does not store.
The same day, global travel and hotel reservation giant Booking.com confirmed that hackers had extracted customer data including names, email addresses, phone numbers and booking details. The company informed TechCrunch that it “noticed some suspicious activity” and “took action to control the issue.” The company’s notice posted by alleged customers on Reddit appears to reveal a breach on anything users shared with Habitat. TechCrunch reported that Booking.com had declined to share details about the scope of the breach, but separately told The Guardian that no “financial information” was lost.
Bluesky’s site and app struggled until Thursday after the company confirmed it was hit by a distributed denial-of-service attack. Chief operating officer Rose Wang said the “sophisticated” attack began at approximately 8:40 p.m. ET on April 15 and caused intermittent failures in feeds, notifications, and search. The company said it has seen no evidence of unauthorized access to user data.
The outage affected Bluesky’s own infrastructure but spared communities like Blacksky that run their own instances on the underlying AT protocol. Blacksky told TechCrunch that it has seen a significant increase in migration requests over the past 12 hours, as users and rival Atmosphere operators are promoting alternatives. As of Friday afternoon, its status page shows the service as fully operational.
The Trump administration is on an appointment spree. A Department of Homeland Security press release from January said ICE has hired more than 12,000 officers and agents in less than a year. As part of their job applications, immigration officers are required to undergo extensive background checks, examining everything from what arrests they may have had, how much debt they have incurred, and which foreign nationals they have interacted with in the past seven years. The Associated Press investigated the backgrounds of 40 ICE agents and found that three had faced lawsuits due to alleged misconduct in their previous law enforcement jobs, and several had faced legal action due to a history of alleged unpaid debts. DHS did not comment on specific hiring choices, but acknowledged to the AP that it had given some applicants “provisional selection letters” and offered them to start work before their full background checks were completed.
Russian cryptocurrency exchange Grinex, widely reported to be helping Russia evade sanctions, suddenly announced on Thursday that it would suspend its operations after a breach it said allowed a hacker to steal more than a billion rubles of its users’ funds, the equivalent of more than $13 million dollars. In its announcements on its social accounts, Grinex blamed the “special services” of a foreign country, and wrote that “the digital traces and the nature of the attack indicate an unprecedented level of resources and technologies available exclusively to the structures of unfriendly states” and that it seems to be aimed at “causing direct damage to the financial sovereignty of Russia.” Grinex, which was itself banned by US financial authorities, served as the successor to Guarantex, another Russian exchange that was sanctioned for enabling sanctions evasion and other alleged financial crimes. According to crypto-tracing firm Elliptic, Grinex was likely created by the same owners and inherited Guarantex funds and customers. Greenex did not provide any public evidence to support its claim that its funds were stolen by state-sponsored hackers.
<a href