Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and…

Roblox hit with class action over alleged secret tracking of kids’ data; lawsuit claims privacy law violations and unauthorized data sharing.

Roblox, a platform known for its popularity among children and teens, is now the focus of a class action lawsuit that accuses the company of covertly harvesting data from its youngest users.

Filed in a California federal court by plaintiffs Michael and Salena Garcia, the suit claims Roblox has been quietly monitoring players without proper consent. According to the 45-page complaint, Roblox uses hidden tracking tools to collect a wide range of data, from keystrokes and chat messages to mouse activity and search queries.

The lawsuit also alleges that the company links these interactions to individual devices using unique identifiers. This allows Roblox to build detailed behavioural profiles of players, which the plaintiffs say are used for targeted content and shared with third-party advertisers.

Roblox has been secretly collecting detailed personal data and intercepting user activity through hidden tracking code built into its site and apps, without users or their parents knowing.

> _“This data surveillance begins the moment a user visits or launches Roblox, even before account login or consent, and continues across platforms (web, iOS, Android, macOS, Windows) via persistent identifiers and fingerprinting techniques.”_
> 
> _Source: Class Action Complaint, Garcia v. Roblox Corporation, U.S. District Court, Northern District of California, 2024._

This legal move puts Roblox in the same spotlight as other tech companies facing criticism over data privacy practices affecting children. While the company promotes itself as a safe space for play and creativity, the complaint suggests a different story unfolding behind the scenes.

Kern Smith, Vice President of Global Solutions at mobile security firm Zimperium, warns that mobile security often takes a back seat in discussions about child safety online. “Parents focus heavily on what their kids are doing in the game, but the device and the app itself are also areas of concern,” he said.

“When a mobile app is widely used, it becomes a bigger target for phishing, malware, and data breaches. If a phone or tablet is compromised, it opens the door for attackers to access sensitive data or manipulate app behaviour.”

The lawsuit shows the public worry about how companies collect and use data from minors. Under federal law, including the Children’s Online Privacy Protection Act (COPPA), companies must obtain verifiable parental consent before collecting personal data from children under 13. The Garcias claim that Roblox sidesteps these requirements through silent tracking that parents never see.

For now, the case remains in the early stages, but it indicates legal pressure on platforms serving young audiences. If the court finds the claims valid, Roblox could face serious consequences, not only in the form of financial penalties but also tougher oversight of its data handling practices.

Parents concerned about their child’s digital safety are advised to monitor not only app content but also the security of the devices their kids use. Tools that offer real-time threat detection and malware protection can help reduce risks tied to invisible data collection.

Roblox Corporation has not issued a public statement in response to the lawsuit as of publication.

Roblox Lawsuit Claims Hidden Tracking Used to Monetize Kids Data

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone…

Optimizing your online productivity is more important than ever. Whether you’re a business owner, freelancer, or simply someone looking to streamline your personal digital workflow, improving your efficiency can save you time, reduce stress, and boost performance. Here are some practical strategies to enhance your digital efficiency.

****1\. Streamline Your Digital Workspace****

A cluttered digital environment can slow you down significantly. Organize your desktop, categorize your files, and declutter unnecessary applications. Use cloud storage services like Dropbox or Google Drive to keep essential documents accessible and secure, reducing the need for excessive local storage.

Use productivity tools like Trello, Asana, or Notion to effectively manage tasks and projects. These platforms help you visualize your workload, prioritize tasks, and collaborate seamlessly with others.

****2\. Automate Repetitive Tasks****

Automation is a game-changer when it comes to digital efficiency. Identify repetitive tasks that consume your time and automate them. For instance:

*   **Email filtering and sorting**: Use rules and filters to automatically categorize incoming messages.
*   **Social media scheduling**: Use platforms like Buffer or Hootsuite to schedule posts in advance, saving you from constant manual posting.
*   **Data entry and reporting**: Utilize tools such as Zapier or Integromat to automate workflows between different apps.

Automating routine processes frees up valuable time for more strategic and creative tasks.

****3\. Optimize Your Internet and Hosting Solutions****

Slow-loading websites and unreliable hosting services can hamper your efficiency, especially if you rely on web-based applications. Upgrading to a reliable DS hosting solution can significantly boost your website’s performance, ensuring faster loading times and improved reliability. Dedicated servers offer more control, security, and better resource allocation compared to shared hosting, making them ideal for businesses or resource-intensive applications.

****4\. Use Keyboard Shortcuts and Productivity Hacks****

Mastering keyboard shortcuts can drastically decrease the time spent navigating your computer or specific applications. For example:

*   **Ctrl + C** and **Ctrl + V** for copy-paste
*   **Ctrl + Z** to undo
*   **Alt + Tab** to switch between windows quickly.

In addition, explore browser extensions like LastPass for password management or Grammarly for real-time grammar checks, making your digital activities more streamlined and error-free.

****5\. Limit Digital Distractions****

Distractions are one of the main barriers to digital efficiency. Use website blockers like Freedom or StayFocusd to limit time-wasting sites during work hours. Turn off unnecessary notifications and schedule regular tech-free breaks to improve your focus. You can also investigate app blockers for your smartphone to limit distractions more generally. 

****6\. Leverage Cloud-Based Collaboration Tools****

For teams, cloud-based collaboration tools are essential for maintaining efficiency. Platforms like Slack, Microsoft Teams, and Google Workspace allow for real-time communication, file sharing, and collaboration, decreasing the need for lengthy email threads and streamlining project management.

****Final Thoughts****

Improving your digital efficiency doesn’t require a massive overhaul, it’s about making small, intentional changes to your workflow. From investing in reliable DS hosting to automating repetitive tasks, every improvement adds up to significant time and productivity gains. Embrace these strategies and watch your digital efficiency soar.

(Image by Moondance from Pixabay)

Practical Ways to Improve Your Digital Efficiency

A hacker group claiming affiliation with Anonymous says it breached GlobalX Airlines, leaking sensitive flight and passenger data…

A hacker group claiming affiliation with Anonymous says it breached GlobalX Airlines, leaking sensitive flight and passenger data tied to controversial deportation flights

GlobalX Airlines, a US government-contractual charter airline for conducting deportation flights, has been targeted by hacktivists claiming affiliation with Anonymous. The attackers allegedly accessed sensitive information, including flight records and passenger manifests, and defaced the airline’s official website with a politically charged message, expressing opposition to the company’s role in controversial deportation processes.

The defaced webpage, reportedly, featured the legendary Guy Fawkes mask, a symbol typically associated with Anonymous. The image was accompanied by a message aimed at the former US President, referencing a “Judge’s order” and accusing GlobalX of disregarding lawful directives and their perceived “fascist plans.”

This suggests the attack was ideologically motivated, originating from hacktivists’ disapproval of the airline’s involvement in deporting US citizens.

Deface page from the hacktivist group

Apart from the symbolic act of website defacement, the hacktivists contacted journalists, including those at 404 Media, to share a substantial amount of leaked data. This trove of information reportedly includes detailed flight logs, comprehensive passenger lists, and itinerary details spanning several months.

404 Media, after careful verification against official Immigration and Customs Enforcement (ICE) flight logs and court documents, confirmed the authenticity of data sorted into folders dated from January 19th to May 1st. This data, reportedly, contains specifics regarding flights used to deport hundreds of Venezuelan migrants, some of whom were actively contesting the legality of their deportation while already airborne.

According to the anonymous hacker, the breach was facilitated by the discovery of a GlobalX developer’s token, which allowed them to uncover access and secret keys for the airline’s Amazon Web Services (AWS) cloud storage buckets, effectively granting them unauthorized entry into the company’s digital infrastructure.

The extent of their access went beyond data exfiltration and website manipulation. The hacker claimed to have sent internal messages to pilots using NAVBLUE, a flight operations tool provided by Airbus, and accessing the company’s GitHub repository, a platform used by developers for managing and sharing code.

One particularly concerning case is of Ricardo Prada Vásquez, a Venezuelan man who, as per his family, was disappeared by US immigration authorities. His name was leaked in a GlobalX flight manifest, revealing his deportation to El Salvador.

This breach comes at a time when the Trump administration’s handling of sensitive data is under increased scrutiny after the Atlantic reports on top US officials, sharing military attack plans on Signal, US-Israeli firm TeleMessage’s data breach impacting TM SGNL app, used by Trump officials, and now the leaking of passenger lists raises further concerns about the government’s data security practices.

GlobalX’s leaked data and hacktivist messages suggest a politically motivated operation to expose and disrupt the deportations. Hackread.com will promptly update you when we receive an official response from the airline and the US immigration authorities, or further details emerge regarding the breach.

Anonymous Hackers Steal Flight Data from US Deportation Airline GlobalX

### Impact
Potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code.

### Patches
This is patched in 1.13.6

### Workarounds
Downgrade to <1.13.2

### References

* [Understanding the Risk of Script Injections](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-2487-9f55-2vg9: OZI-Project/ozi-publish Code Injection vulnerability

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos,…

Check Point’s April 2025 malware report reveals increasingly sophisticated and hidden attacks using familiar malware like FakeUpdates, Remcos, and AgentTesla. Education remains the top targeted sector. Learn about the latest cyber threats and how to stay protected.

Check Point Research (CPR) has revealed its findings for April 2025, which describe a concerning trend of attackers using more complex and sneaky methods to deliver harmful software. Although some well-known malware families remain prevalent, the methods used to infect systems are becoming more sophisticated, making them harder to detect.

According to CPR, most attacks discovered in April involved phishing emails disguised as order confirmations. These emails contained a hidden 7-Zip file that released scrambled instructions, leading to the installation of common malware like AgentTesla, Remcos, and XLoader.

The attacks were particularly concerning due to their well-hidden nature, using encoded scripts and injecting malicious software into legitimate Windows processes. Researchers also noticed a “dangerous convergence of commodity tools with advanced threat actor tactics” means even basic malware is now being used in highly sophisticated operations, CPR’s blog post read.

Despite these new sneaky methods, some familiar names still topped the list of most prevalent malware in April, including the following:

****FakeUpdates****

This malware remained the most widespread, affecting 6% of organizations globally. It tricks users into installing fake browser updates from compromised websites has been linked to the Russian hacking group Evil Corp and is used to deliver further malicious software.

****Remcos and AgentTesla:****

This remote access tool, often spread through malicious documents in phishing emails, can bypass Windows security features, giving attackers high-level control over infected systems.

AgentTesla, which is an advanced tool, can log keystrokes, steal passwords, take screenshots, and grab login details for various applications. It is openly sold online.

Malware families’ analysis revealed a rise in Androxgh0st usage, which targets web applications to steal sensitive information, while the use of remote access tool AsyncRat has declined. Other notable families included in the top ten include Formbook, Lumma Stealer, Phorpiex, Amadey, and Raspberry Robin.

In April, SatanLock emerged as a new ransomware group, listing numerous victims on their data leak site. However, most of these victims had already been claimed by other groups, indicating a potentially competitive environment within the cybercrime community. Moreover, Akira was the most prevalent ransomware group, followed by SatanLock and Qilin.

Mobile devices remain a significant target, with Anubis, AhMyth, and Hydra topping the list of mobile malware in April. Most concerning is that these malware are becoming increasingly sophisticated, offering remote access, ransomware capabilities, and multi-factor authentication interceptions.

Furthermore, for a third consecutive month, the education sector remained the most vulnerable globally, probably due to its large user base and weak cybersecurity infrastructure. Government and telecommunications sectors followed closely. Whereas, regional analysis showed varying malware trends, with Latin America and Eastern Europe experiencing more FakeUpdates and Phorpiex, and Asia witnessing increased activity of Remcos and AgentTesla.

Given this increasingly complex and persistent cyber threat environment, CPR recommends that organizations adopt a “prevention-first” strategy, including employee training on phishing, regular software updates, and the implementation of advanced threat prevention solutions to detect and block these sophisticated attacks before they can cause harm.

FakeUpdates, Remcos, AgentTesla Top Malware Charts in Stealth Attack Surge

What do a source code editor, a smart billboard, and a web server have in common? They’ve all become launchpads for attacks—because cybercriminals are rethinking what counts as “infrastructure.” Instead of chasing high-value targets directly, threat actors are now quietly taking over the overlooked: outdated software, unpatched IoT devices, and open-source packages. It's not just clever—it’s

⚡ Weekly Recap: Zero-Day Exploits, Developer Malware, IoT Botnets, and AI-Powered Scams

A list of topics we covered in the week of May 4 to May 10 of 2025

May 9, 2025 - Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

May 8, 2025 - As per a recent FBI warning, criminals are phishing users of payroll, and similar platforms to not only steal their credentials but also their funds.

May 8, 2025 - We're rolling out a brand new feature in Malwarebytes for iOS: the ability to block Google sponsored ads directly on Safari.  

May 8, 2025 - The age of AI guessing our passwords is upon us, and we need to change the ways we authenticate and use passwords where we have no alternatives.

May 8, 2025 - Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

 A week in security (May 4 &#8211; May 10) 

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root…

Varonis reveals attackers are using SEO poisoning to trick IT admins into downloading malware, alongside a critical root access vulnerability in Azure’s AZNFS-mount utility affecting HPC/AI workloads. Update Azure immediately.

Cybersecurity researchers at Varonis have issued warnings on two distinct but significant threats targeting IT administrators and cloud infrastructure. Emerging within the last two months, as noted by Varonis in a blog post published on 2 May 2025, a growing trend of attackers using SEO poisoning to trick administrators into downloading malware disguised as legitimate tools is observed.

Separately, on May 6th, the company’s Threat Labs reported a critical vulnerability in a preinstalled Azure utility that could allow unprivileged users to gain full root access to cloud systems.

The SEO poisoning campaign involves cybercriminals manipulating search engine rankings to place malicious websites at the top of results for common IT administration tools. Unsuspecting admins, believing they are downloading genuine software, instead install malware that can lead to the installation of backdoors like SMOKEDHAM, enabling persistent access for attackers.

Varonis MDR Forensics team members Tom Barnea and Simon Biggs highlighted cases where this technique led to the deployment of monitoring software like a renamed version of Kickidler (grabber.exe), allowing attackers to secretly observe infected machines and steal credentials.

Attack flow – Image credit: Varonis

This initial access often paves the way for data exfiltration, as seen in one instance where the attackers successfully transferred nearly a terabyte of data out of the network, followed by the encryption of critical systems like the customer’s ESXi devices for ransom.

Ransom note – Image credit: Varonis

In a separate but equally concerning discovery, Varonis Threat Labs, led by researcher Tal Peleg, identified a critical flaw in the AZNFS-mount utility, a tool preinstalled on Azure High-Performance Computing (HPC) and Artificial Intelligence (AI) images. This vulnerability, affecting all versions up to 2.0.10, could allow an ordinary user to escalate their privileges to root on a Linux machine.

As per Veronis’ research, shared with Hackread.com, the flaw exists in the “mount.aznfs” binary, which, due to incorrect permissions, could be exploited to execute arbitrary commands with the highest system privileges. By manipulating a specific environment variable, attackers could effectively take complete control of the affected Azure systems.

Varonis Threat Labs responsibly disclosed this vulnerability to Microsoft Azure, which classified it as low severity. However, the potential impact of gaining root access to cloud infrastructure is significant, as it may allow attackers to mount additional storage, install malware, and move laterally within cloud environments. Microsoft has since released a fix in version 2.0.11 of the AZNFS-mount utility.

Still, these findings show cybercriminals are constantly improving their tactics for targeting critical IT infrastructure more effectively. The SEO poisoning campaign highlights the need for better awareness among IT professionals when downloading tools from online searches, even those appearing highly ranked. The Azure utility vulnerability emphasizes the importance of timely patching and careful configuration of cloud resources.

Varonis advises organizations to implement a “Defense in Depth” strategy, including employee training, endpoint security, network segmentation, and strict access controls, to mitigate these growing threats. Azure customers utilizing HPC images or NFS for Azure Storage are advised to update their AZNFS-mount utility immediately.

New SEO Poisoning Campaign Targeting IT Admins With Malware

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the max_depth parameter in the get_article_urls function. This allows an attacker to exhaust Python's recursion limit through repeated function calls, leading to resource consumption and ultimately crashing the Python process.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-7c85-87cp-mr6g: LlamaIndex Vulnerable to Denial of Service (DoS)

Plus: A DOGE operative’s laptop reportedly gets infected with malware, Grok AI is used to “undress” women on X, a school software company’s ransomware nightmare returns, and more.

A United States Customs and Border Protection request for information this week revealed the agency’s plans to find vendors that can supply face recognition technology for capturing data on everyone entering the US in a vehicle like a car or van, not just the people sitting in the front seat. And a CBP spokesperson later told WIRED that the agency also has plans to expand its real-time face recognition capabilities at the border to detect people exiting the US as well—a focus that may be tied to the Trump administration’s push to get undocumented people to “self-deport” and leave the US.

WIRED also shed light this week on a recent CBP memo that rescinded a number of internal policies designed to protect vulnerable people—including pregnant women, infants, the elderly, and people with serious medical conditions—while in the agency’s custody. Signed by acting commissioner Pete Flores, the order eliminates four Biden-era policies.

Meanwhile, as the ripple effects of “SignalGate” continue, the communication app TeleMessage suspended “all services” pending an investigation after former US national security adviser Mike Waltz inadvertently called attention to the app, which subsequently suffered data breaches in recent days. Analysis of TeleMessage Signal’s source code this week appeared to show that the app sends users’ message logs in plaintext, undermining the security and privacy guarantees the service promised. After data stolen in one of the TeleMessage hacks indicated that CBP agents might be users of the app, CBP confirmed its use to WIRED, saying that the agency has “disabled TeleMessage as a precautionary measure.”

A WIRED investigation found that US director of national intelligence Tulsi Gabbard reused a weak password for years on multiple accounts. And researchers warn that an open source tool known as “easyjson” could be an exposure for the US government and US companies, because it has ties to the Russian social network VK, whose CEO has been sanctioned.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ICE’s Deportation Airline Hack Reveals Man “Disappeared” to El Salvador**

Hackers this week revealed they had breached GlobalX, one of the airlines that has come to be known as “ICE Air” thanks to its use by the Trump administration to deport hundreds of migrants. The data they leaked from the airline includes detailed flight manifests for those deportation flights—including, in at least one case, the travel records of a man whose own family had considered him “disappeared” by immigration authorities and whose whereabouts the US government had refused to divulge.

On Monday, reporters at 404 Media said that hackers had provided them with a trove of data taken from GlobalX after breaching the company’s network and defacing its website. “Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a message the hackers posted to the site read. That stolen data, it turns out, included detailed passenger lists for GlobalX’s deportation flights—including the flight to El Salvador of Ricardo Prada Vásquez, a Venezuelan man whose whereabouts had become a mystery to even his own family as they sought answers from the US government. US authorities had previously declined to tell his family or reporters where he had been sent—only that he had been deported—and his name was even excluded from a list of deportees leaked to CBS News. (The Department of Homeland Security later stated in a post to X that Prada was in El Salvador—but only after a New York Times story about his disappearance.)

The fact that his name was, in fact, included all along on a GlobalX flight manifest highlights just how opaque the Trump administration’s deportation process remains. According to immigrant advocates who spoke with 404 Media, it even raises questions about whether the government itself had deportation records as comprehensive as the airline whose planes it chartered. “There are so many levels at which this concerns me. One is they clearly did not take enough care in this to even make sure they had the right lists of who they were removing, and who they were not sending to a prison that is a black hole in El Salvador,” Michelle Brané, executive director of immigrant rights group Together and Free, told 404 Media. “They weren't even keeping accurate records of who they were sending there.”

**The Computer of a DOGE Staffer With Sensitive Access Reportedly Infected With Malware**

Elon Musk’s so-called Department of Governmental Efficiency has raised alarms not just due to its often reckless cuts to federal programs, but also the agency’s habit of giving young, inexperienced staffers with questionable vetting access to highly sensitive systems. Now security researcher Micah Lee has found that Kyle Schutt, a DOGE staffer who reportedly accessed the financial system of the Federal Emergency Management Agency, appears to have had infostealer malware on one of his computers. Lee discovered that four dumps of user data stolen by that kind of password-stealing malware included Schutt’s passwords and usernames. It’s far from clear when Schutt’s credentials were stolen, for what machine, or whether the malware would have posed any threat to any government agency’s systems, but the incident nonetheless highlights the potential risks posed by DOGE staffers’ unprecedented access.

**Grok AI Will “Undress” Women in Public on X**

Elon Musk has long marketed his AI tool Grok as a more freewheeling, less restricted alternative to other large language models and AI image generators. Now X users are testing the limits of Grok’s few safeguards by replying to images of women on the platform and asking Grok to “undress” them. While the tool doesn’t allow the generation of nude images, 404 Media and Bellingcat have found that it repeatedly responded to users’ “undress” prompts with pictures of women in lingerie or bikinis, posted publicly to the site. In one case, Grok apologized to a woman who complained about the practice, but the feature has yet to be disabled.

**A Hacked School Software Company Paid a Ransom—but Schools Are Still Being Extorted**

This week in don’t-trust-ransomware-gangs news: Schools in North Carolina and Canada warned that they’ve received extortion threats from hackers who had obtained students’ personal information. The likely source of that sensitive data? A ransomware breach last December of PowerSchool, one of the world’s biggest education software firms, according to NBC News. PowerSchool paid a ransom at the time, but the data stolen from the company nonetheless appears to be the same info now being used in the current extortion attempts. “We sincerely regret these developments—it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool told NBC News in a statement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

**A Notorious Deepfake Porn Site Shuts Down After Its Creator Is Outed**

Since its creation in 2018, MrDeepFakes.com grew into perhaps the world’s most infamous repository of nonconsensual pornography created with AI mimicry tools. Now it’s offline after the site’s creator was identified as a Canadian pharmacist in an investigation by CBC, Bellingcat, and the Danish news outlets Politiken and Tjekdet. The site’s pseudonymous administrator, who went by DPFKS on its forums and created at least 150 of its porn videos himself, left a trail of clues in email addresses and passwords found on breached sites that eventually led to the Yelp and Airbnb accounts of Ontario pharmacist David Do. After reporters approached Do with evidence that he was DPFKS, MrDeepFakes.com went offline. “A critical service provider has terminated service permanently. Data loss has made it impossible to continue operation,” reads a message on its homepage. “We will not be relaunching.”

Tag

#web