EU Age-Verification App Hacked in 2 Minutes

A new age-verification app launched by the European Commission this week was compromised in under two minutes by a security researcher, casting immediate doubt on its viability as a tool for protecting minors online. The free, open-source software is intended to help social media and adult websites confirm users’ ages, with Commission President Ursula von der Leyen stating its release left platforms with “no more excuses” for non-compliance. However, security consultant Paul Moore demonstrated critical flaws, including how the app stores a user-created PIN, enabling an attacker to easily hijack a profile. Another white-hat hacker confirmed the vulnerability. Moore publicly warned von der Leyen that the product will inevitably become “the catalyst for an enormous breach,” asserting it is only a matter of time.

This security failure arrives amid a week of significant data breaches affecting millions. Basic-Fit, Europe’s largest gym chain, confirmed a major incident compromising bank details, names, addresses, and birthdates for roughly one million customers across several countries. The breach originated from a single system tracking member visits. Separately, global travel giant Booking.com notified customers that hackers may have extracted names, contact information, and booking details, though the company stated no financial data was lost. The full scope of that breach remains unclear.

On the social media front, the decentralized platform Bluesky confirmed it weathered a sophisticated DDoS attack that caused intermittent failures across its feeds and services for much of Thursday. The company found no evidence of unauthorized data access. Notably, the attack did not affect independent communities operating on the same underlying protocol, some of which reported a spike in new user migration requests during the outage.

In the United States, a hiring surge at Immigration and Customs Enforcement has raised questions about vetting procedures. An Associated Press review found that among 40 recently hired agents, several had histories of alleged misconduct or significant unpaid debts from previous law enforcement roles. The Department of Homeland Security acknowledged issuing temporary job offers to some applicants before completing their full background checks.

The Russian cryptocurrency exchange Grinex, a reported successor to the sanctioned platform Garantex, announced it is suspending operations after a hack stole over $13 million in user funds. The exchange claimed the attack bore the hallmarks of a state-sponsored operation by an “unfriendly” country aimed at damaging Russia’s financial sovereignty, though it provided no public evidence. Grinex itself had been sanctioned by U. S. authorities for allegedly aiding Russian sanctions evasion.

These developments follow broader trends of escalating digital risks. Over 70 civil society groups petitioned Meta this week to abandon any plans for facial recognition features in its AI smart glasses, warning the combination with covert recording capabilities would devastate personal privacy and empower stalkers or abusive authorities. Meanwhile, an investigation into non-consensual AI-generated nude imagery identified more than 600 middle and high school-aged victims across 28 countries, highlighting the global scourge of deepfake abuse in schools.

In the private sector, a WIRED investigation found the messaging app Telegram continues to host a marketplace called Xinbi Guarantee, which the UK government has sanctioned as a facilitator of human trafficking. Blockchain analysis indicates the platform processed another half-billion dollars in transactions in the weeks following that sanction. The accelerating integration of AI into cybersecurity was also on display, with leading firms Anthropic and OpenAI each announcing new AI models specifically designed for cyber defense and offense, signaling the next phase of the AI security race.