It Takes 2 Minutes to Hack the EU’s New Age-Verification App
Plan a big a night at Madison Square Garden? Have fun, but don’t say we didn’t warn you.
A WIRED investigation this week revealed new details about the state of private surveillance instituted by MSG owner Jim Dolan and his security chief, John Eversole. According to court records and WIRED sources, visitors to the Garden and some other locations owned by Dolan were subjected to facial recognition, social media surveillance, in-person surveillance and more.
The U.S. government’s warrantless wiretapping powers hit a roadblock this week. Despite President Donald Trump’s push for a long-term reauthorization of the so-called Section 702 spying program, 20 Republican lawmakers in the House of Representatives voted against a full reauthorization, forcing President Mike Johnson to simply extend the program for another 10 days.
Meta’s Ray-Ban and Oakley AI smart glasses have an image problem, for good reason. More than 70 civil society groups, including the ACLU and the National Organization for Women, sent a letter to the company this week, demanding that it abandon any plans to equip its AI glasses with facial recognition features. The groups argue that including facial recognition in wearable devices, which can already surreptitiously record videos of people, would further erode any semblance of privacy and potentially make it easier for stalkers, domestic abusers and federal agents.
Non-consensual nude deepfakes are a scourge in schools around the world, according to an analysis by WIRED and Indicator. By tracking publicly reported incidents of fake “nudify” technologies used against school-aged girls, we were able to identify more than 600 victims in 28 countries around the world.
You might think that banning a $20 billion black market for fraudsters from your platform would be a no-brainer. But not if you are Telegram. A WIRED investigation found that the messaging app continued to host Xinbi Garantie, despite the British government designating it as facilitating human trafficking and sanctioning the largest such online marketplace ever. Cryptocurrency tracking firm Elliptic claims that Xinbi made an additional $505 million in transactions in the 19 days after the UK sanction was issued.
The race for AI has finally entered the realm of cybersecurity. After Anthropic revealed its new model, Mythos, as a unique risk to the security status quo, OpenAI announced that it also has a new cybersecurity strategy and an accompanying new model: GPT-5.4-Cyber.
That’s not all! Every week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
The European Commission this week published its free and open source application for verifying the age of visitors to social networks and pornographic sites. At a press conference on Wednesday, European Commission President Ursula von der Leyen proclaimed that with the app’s release, “there are no more excuses” for platforms that do not verify users’ ages. However, that was before experts deemed the app a security disaster.
As reported by Politico, security consultant Paul Moore claimed on X that he found a series of security issues with the app that allowed him to hack it “in less than 2 minutes.” Issues include how the app would store a user-created PIN that could make it easy for an attacker to take over that person’s app profile. (Baptiste Robert, a white hacker, confirmed the vulnerability to Politico.) Tagging von der Leyen in his post, Moore concluded: “This product will be the catalyst for a huge breach at some point. It’s just a matter of time.”
Europe’s largest gym chain Basic-Fit confirmed a major data breach on Monday, revealing that the banking details of around one million customers had been compromised. In the Netherlands alone, around 200,000 members were affected. The stolen data includes bank details as well as customers’ names, home and email addresses, telephone numbers and dates of birth. A spokesperson told The Register that members in Belgium, France, Germany, Luxembourg and Spain have also been affected by a unique system that records members’ visits to clubs. No passwords, which Basic-Fit claims not to store, would have been compromised.
The same day, global travel and hotel booking giant Booking.com confirmed that hackers may have extracted customer data, including names, email addresses, phone numbers and booking details. The company informed TechCrunch that it “noticed suspicious activity” and “took steps to contain the issue.” Reviews of the company posted by purported customers on Reddit appear to reveal a breach affecting “anything” that users “might have shared with the accommodation.” TechCrunch reported that Booking.com declined to share details about the extent of the breach, but separately told the Guardian that no “financial information” was lost.
Bluesky’s site and app struggled Thursday after what the company confirmed was a distributed denial-of-service attack. Rose Wang, director of operations, said the “sophisticated” attack began around 8:40 p.m. ET on April 15 and caused intermittent outages in feeds, notifications and searches. The company said it had not seen any evidence of unauthorized access to user data.
The outages affected Bluesky’s own infrastructure, but spared communities like Blacksky that run their own instances on the underlying AT protocol. Blacksky told TechCrunch that it has seen a significant increase in migration requests over the past 12 hours, as users and competing ATmosphere operators promote alternatives. As of Friday afternoon, its status page shows the service is fully operational.
The Trump administration has gone on a hiring spree. A Department of Homeland Security press release from January says ICE has hired more than 12,000 officers and agents in less than a year. As part of their job applications, immigration officers are supposed to undergo extensive background checks, which look at everything from any arrests they may have had, debts they’ve accrued, and foreign nationals they’ve interacted with over the past seven years. The Associated Press conducted its own background checks on 40 ICE agents and found three who had faced lawsuits because of allegations of misconduct in their previous law enforcement jobs, and several who were allegedly facing lawsuits because of their history of unpaid debts. DHS did not comment on specific hiring choices, but acknowledged to the AP that it had given some applicants “temporary selection letters” and offers to begin work before their full background checks were completed.
Russian cryptocurrency exchange Grinex, widely credited with helping Russia circumvent sanctions, abruptly announced Thursday that it would suspend operations following a breach that it said allowed a hacker to steal more than a billion rubles of its users’ funds, the equivalent of more than $13 million. In its announcements on its social accounts, Grinex blamed the “special services” of a foreign country, writing that “digital traces and the nature of the attack indicate an unprecedented level of resources and technologies available exclusively to structures of hostile states” and appear aimed at “causing direct damage to Russia’s financial sovereignty.” Grinex, which itself was sanctioned by US financial authorities, was the successor to Garantex, another Russian exchange sanctioned for enabling sanctions evasion and other alleged financial crimes. According to cryptocurrency tracking company Elliptic, Grinex was likely created by the same owners and inherited funds and customers from Garantex. Grinex has not provided any public evidence to support its claim that the theft of its funds was carried out by state-sponsored hackers.
