When data breach numbers don't add up
DeepSeek breach and other privacy stories you might have missed this week.
👋 Hey, Laura here! Welcome to this month’s edition of Privacy Champ. Each week, I share important stories that change your personal privacy, plus other important privacy updates + one actionable, 5-minute privacy protection tip.
The stuff you need to watch out for in your inbox, on social media, and elsewhere on the web.
Are you SURE it’s the USPS?
A mobile phishing campaign is impersonating the USPS.
It may not be Amazon Prime, either…
A phishing campaign uses malicious PDF documents claiming Amazon Prime memberships have expired.
Fake news.
Scammers are producing realistic fake news videos that impersonate major news organizations like CNN to falsely accuse victims of crimes and pressure them into making blackmail payments.
That game hack may actually get you hacked.
Cybercriminals are disguising repositories as game hacks and software cracks to distribute the Lumma Stealer malware.
No, you haven’t been invited to a wedding.
Cybercriminals in Southeast Asia are using fake wedding invitations sent via Telegram and WhatsApp to trick users into installing malware.
Your data may have been exposed if you’re a customer of:
DeepSeek. Over a million user chat histories and sensitive API keys exposed.
TalkTalk. A hacker says they stole the personal information of nearly 19 million customers. But… the company says it only has 2.4 million customers.
Wacom. Personal and payment information was potentially compromised.
Travel website Daytrip. Personal and travel information of ~470,000 users exposed.
Mizuno USA. Files with personal data of affected individuals stolen.
Community Health Center. Sensitive health and personal data of 1m+ patients stolen.
Struct Chat. Private user data is exposed.
Globe Life. Investigation into a June 2024 data breach revealed that hackers accessed databases containing personal data, potentially impacting an additional 850,000 customers beyond the initial 5,000 affected.
H&M (in the UAE). Over 4 million customers' personal and sensitive information exposed.
AngelSense. Users’ real-time location and personal and health data exposed.
Cool new projects, features, and tips that improve your privacy.
Microsoft is testing a new "scareware blocker" on Edge that uses machine learning and computer vision to identify and prevent deceptive scams.
Google Play Store introduced a "Verified" badge for VPN apps that meet strict security and privacy standards. To earn the badge, VPN providers must undergo a Mobile Application Security Assessment, achieve a minimum number of installs and reviews, and comply with Google's safety requirements.
Not a tool, but important if you’re an Apple user:
Apple warned users to update to iOS 18.3 after patching a long-standing vulnerability (CVE-2025-24085) that hackers exploited.
Also interesting if you’re a heavy mobile app user:
An analysis of most invasive apps includes the usual suspects (i.e., Facebook, etc.), but also Duolingo, Bumble, and Roblox.
The stories you might have missed this week, with our take on whether they’re positive (👍), negative (👎), or questionable (🤔).
The good
👍 Law enforcement seized the hacking forums Cracked.io and Nulled.io, which were responsible for targeting at least 17 million U.S. users with stolen credentials, hacking tools, and even a tool used for cyberstalking.
👍 MGM Resorts agreed to a $45 million settlement for over a dozen class action lawsuits following two cyberattacks that compromised the personal data of more than 37 million customers.
👍 PayPal has been ordered by the New York State Department of Financial Services to pay a $2 million settlement for a 2022 data breach that exposed sensitive customer information.
👍 WhatsApp disrupted a December hacking campaign linked to Paragon spyware that used malicious PDFs to target around 90 users (including journalists and civil society members).
The bad
👎 A vulnerability in Subaru’s STARLINK connected vehicle service enables attackers with minimal personal details to access user accounts and vehicles across the U.S., Canada, and Japan.
👎 Amazon accused of secretly tracking users’ movements via cell phones and selling the collected data by providing app developers with an Amazon Ads SDK that enabled "backdoor access" to users' phones.
👎 A bug in WhatsApp's iOS app allowed "View Once" photos and videos to be accessed repeatedly.
🖥️ Meta is updating its Meta AI chatbot with a "Memory" feature that records details from one-on-one chats and user activity across Facebook, Messenger, and Instagram for personalized recommendations.
You can’t completely turn off Meta AI’s Memory feature, but you can delete its stored memories.
To do so, go to Messenger, tap the information bubble in your chat with Meta AI, then select Memory and choose what to delete - or use the “/reset-ai” command on Messenger, Instagram, or WhatsApp to clear your data.