It may be a new year, but the hacks, scams, and dangerous people lurking online haven’t gone away.
Just one day before the ball dropped, the US Treasury Department said it had been hacked. Officials believe the attackers are an as-yet-unidentified Advanced Persistent Threat group linked to China’s government that exploited flaws in remote help desk software created by BeyondTrust to carry out what the Treasury Department described as a “major” breach. “. The company told Treasury on December 8 that the attackers stole an authentication key, which ultimately allowed them to access the department’s computers. While the Treasury says the attackers were only able to steal “certain unclassified documents,” new details have already begun to emerge, more on which later.
Before the murder of UnitedHealthcare CEO Brian Thompson last month, gun silencers were something found mostly in Hollywood movies — or in Facebook and Instagram ads, if you looked closely. WIRED discovered that someone has posted thousands of ads for “fuel filters” that are, in fact, intended to be used as gun silencers, which are heavily regulated by U.S. law. Meta, which owns Facebook and Instagram, has since removed many of the ads, but new ones continue to appear. So if you see one, keep scrolling: Possessing an unregistered silencer could result in felony charges.
When an Amber Alert push notification appears on your phone, getting all the information you need to help find an abducted child can literally be a matter of life or death. That’s a lesson the California Highway Patrol learned this week when it sent out an Amber Alert linking to a post on X, which people couldn’t access unless they were registered. While CHP says it has linked posts on the social media site since 2018 without any issues until this week, a spokesperson tells WIRED they are now “looking into it.”
If you’ve added privacy and security best practices to your 2025 goal list, an easy place to start is your old chat histories. You might be surprised at how much sensitive information exists, perhaps forgotten but definitely not gone.
That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
Apple this week agreed to pay $95 million to settle a class-action lawsuit over alleged eavesdropping by its Siri voice assistant. The demand, López et al. v. Apple Inc.accused Apple of recording people’s conversations without their knowledge and sharing that data with third parties to serve ads. The issue arose from Siri’s voice-activated feature (“Hey, Siri”), which two plaintiffs allege surreptitiously captured conversations that resulted in ads for Nike and Olive Garden shoes. One plaintiff claimed that he was given an advertisement for medical treatment after speaking with his doctor. People who qualify as part of the group covered by the settlement, which must be approved by a federal judge in California, could receive up to $20 per device, for up to five devices. As Reuters notes, the deal amount is roughly equivalent to nine hours of profits for Apple, which earned nearly $94 billion in the last fiscal year. The company will not admit to any wrongdoing as part of the agreement.
Newly unsealed court documents revealed that the FBI allegedly discovered during a search for a single illegal firearm the “largest seizure of homemade explosives in FBI history.” According to court records, the arsenal of explosives was found at Brad Spafford’s home in Virginia, where investigators allegedly found more than 150 pipe bombs and other explosive devices. Prosecutors say the FBI found a backpack containing pipe bombs and adorned with a grenade-shaped patch with the hashtag #NoLivesMatter, a possible reference to a far-right “accelerationist” group. The New York Times reports. While prosecutors claim that Spafford, who allegedly used a photo of US President Joe Biden as target practice, was aiming to “recover political assassinations,” his lawyer maintains that he is a harmless “family man” who is owed grant freedom.
Following revelations earlier this week that Chinese state-backed hackers breached the U.S. Treasury in early December, the Washington Post reported Wednesday that the hackers specifically targeted the Office of Foreign Assets Control. The attackers may have been seeking information about the Bureau’s possible plans to sanction Chinese entities. Additionally, Bloomberg reported Thursday that attackers targeted the computers of senior Treasury officials, where they were able to access unclassified material. So far, researchers have identified around 100 computers compromised by hackers. However, sources told Bloomberg that the attack appears to have been more of a crime of opportunity than a long-planned clandestine operation, like China’s recent infiltration of American telecommunications companies.
As China’s Treasury hack comes to light, the impact of its intrusions on American telecommunications companies continues to expand. Two days after Christmas, Anne Neuberger, White House deputy national security adviser for cybersecurity and emerging technologies, held a briefing with reporters in which she raised the count of telecommunications breaches by the Chinese hackers known as Salt Typhoon and suggested that at least part of the blame for those breaches lies with the companies’ own inadequate security. “The reality is, from what we’re seeing with respect to the level of cybersecurity implemented across the telecommunications sector, those networks are not as defensible as they should be to defend against a capable and well-resourced offensive cyber actor like China.” . Neuberger said. He added that the hackers had targeted the communications histories of fewer than 100 people, mostly in Washington, D.C., who reportedly included President-elect Donald Trump and Vice President-elect JD Vance. Neuberger said the spying incident calls for new cybersecurity regulations from the Federal Communications Commission that she said could have limited the scope of the breaches if they had existed.
Cars collect and transmit as much sensitive location data as any modern digital device, and the privacy risks of all that tracking are becoming all too clear. One example: A whistleblower warned Germany’s Chaos Computer Club and the country’s Der Spiegel news outlet that Cariad, a Volkswagen subsidiary, left a trove of location data for 800,000 electric vehicles exposed online. The leak included cars sold not only by Volkswagen but also by other brands, including Seats, Audi and Skoda. For Audi and Skoda, that location data was accurate only to within about six miles, but Volkswagen cars and Seats could be located to within about four inches. The exposed data has already been secured, but the incident nonetheless demonstrates the lengths to which automakers have to go to control their data collection.