Your Period Tracker App May Be Sharing Your Data

▼ Summary
– San Francisco’s drone footage was exposed on the open web, highlighting granular urban surveillance, while the City Attorney’s Office demanded Apple and Google remove AI nudifying apps targeting women and girls.
– President Donald Trump pushed unsubstantiated claims about 2020 election interference, and documents he posted did not prove his assertions, sometimes contradicting them.
– Anthropic urged US states to regulate AI, stating that policy responses must match rapid advancements in AI capabilities.
– The period tracker Stardust sent reproductive health data to analytics firm RudderStack without in-app sharing controls, scoring 2 out of 10 in a Mozilla audit, while nonprofit tracker Euki earned a perfect 10 by keeping health data off the phone.
– Russia’s FSB was sanctioned for a cyberattack on Poland’s electric grid nearly causing a blackout, marking a shift from its usual cyberespionage role to more aggressive hacking like the GRU’s.
Hours of San Francisco Police Department drone footage floating unprotected on the open web mark a new chapter in hyper-detailed, high-stakes urban surveillance. In parallel, the San Francisco City Attorney’s Office this week sent cease-and-desist demands to Apple and Google, urging them to remove 13 AI-powered “face-swap” apps that are overwhelmingly used to target women and girls.
Since WIRED first reported on Meta’s NameTag face-recognition system in June, the company’s executives have offered vague and contradictory statements about whether the feature even exists. We stepped back to clarify the claims and the facts surrounding this very real system.
During a speech on Thursday, President Donald Trump pushed unfounded and repeatedly debunked allegations about interference in the 2020 U. S. election. He promised massive revelations from a trove of documents posted to the White House website, but the files failed to support his assertions,and in some instances, directly contradicted them.
As AI adoption accelerates and its capabilities grow, tech giant Anthropic has intensified efforts to push U. S. states toward regulation. Speaking about AI transparency laws passed in California and New York last year, Cesar Fernandez, Anthropic’s head of U. S. state and local government relations, told WIRED: “The transparency-focused safety bills of 2025 were a really important start, but as the capabilities of AI systems continue to advance quickly, the policy responses need to match.”
And there’s more. Each week, we round up the security and privacy stories we didn’t cover in depth. Click the headlines for full details. Stay safe out there.
The astrology-themed period tracker Stardust sends users’ reproductive health data,including birth control type, pregnancy status, moods, and symptoms as specific as tender breasts and stomach cramps,to a data firm not listed in its privacy policy, according to the BBC, which reported on a Mozilla Foundation audit of six popular trackers done in partnership with Harvard’s Berkman Klein Center.
Stardust scored a 2 out of 10, the worst of the group. Mozilla researcher Shoshana Wodinsky found that the app contacts third-party trackers the moment it opens, before any user input. As soon as she logged a symptom, the details were forwarded to analytics firm RudderStack alongside a persistent user ID, with no in-app option to disable the sharing. RudderStack is designed to route data onward to destinations Mozilla could not observe. Stardust also sends Facebook an ad identifier that links in-app activity to existing profiles on the platform. The company told TechCrunch it has never received a legal demand for user data.
Euki, a nonprofit-run tracker, earned a perfect 10: no account required, health data never leaves the phone, and users can set a PIN, schedule automatic deletion, or pull up a decoy screen if someone forces the phone open. Its only weakness is an in-app browser for educational pages that loads standard web trackers, but it resets identifiers between visits.
Russia’s FSB has long been known for highly sophisticated cyberespionage, leaving disruptive attacks to the country’s GRU military intelligence agency. But sanctions from the EU and UK this week, along with a joint advisory from the U. S. Cybersecurity and Infrastructure Security Agency, the FBI, and the NSA, pinned a cyberattack on the Polish electric grid on Center 16 of the FSB,a rare instance of the Kremlin agency carrying out an attack that nearly caused outages in the country’s electric and water utilities. The attack, which the Polish government said came “very close” to causing a blackout, was initially attributed by cybersecurity firms Dragos and ESET to Sandworm, also known as Unit 74455 of the GRU, a more typical suspect in infrastructure hacking given its active role in Russia’s long-running cyberwar against Ukraine. However, the Polish computer emergency response team disputed that finding and linked the attack to the FSB, a conclusion now backed by a broad consensus of Western governments. The incident suggests the FSB may be adopting some of the reckless, highly aggressive tendencies,and targets,of its GRU colleagues.
For years, the Russian cybersecurity firm Kaspersky has faced allegations of ties to the Russian government, including by U. S. officials who banned its products within the U. S. government and eventually for all American customers. Yet clear evidence of those connections has been scarce. Now Reuters reports that Denis Obrezko, a Russian man facing hacking charges in Boston and an alleged member of the hacker group known as Void Blizzard or Laundry Bear, spent two years working at Kaspersky. His tenure there occurred just before he joined another cybersecurity firm, Yutek-NN, where he allegedly participated in the group’s hacking campaign that stole data and communications from numerous NATO governments and at least 11 U. S. companies, according to U. S. prosecutors. Before Kaspersky, Obrevko also allegedly worked at the FSB, neatly bookending his time at the company with apparent work for Russia’s intelligence services.
Obrevko has pleaded not guilty to the hacking charges. Kaspersky responded in a statement to Reuters that “the offenses charged cannot be related to the individual’s role or responsibilities during the employment at Kaspersky.”
In an incident that will alarm anyone responsible for assessing suspicious network activity, DHS officials ruled,twice,that signs of a hacker breach in its Homeland Security Information Network (HSIN) platform were false positives when they were actually signs of a very real intrusion. HSIN, used for sharing unclassified data between state, local, and federal agencies, as well as foreign partners, was breached by hackers two months ago, according to reporting from Nextgov/FCW. Analysts at the Federal Emergency Management Agency spotted signs of hacker activity in mid-May,altering files and code, hijacking a legitimate web server, and deleting logs of their behavior,but the findings were dismissed as a false positive.
In the following weeks, the hackers returned, were again detected, and were again dismissed as a mirage. It’s unclear why the signs of the breach were misjudged, but the incidents may reflect federal analysts’ growing difficulty in detecting “living off the land” hacking techniques that use legitimate network features to access target assets instead of planting more easily spotted malware. While HSIN holds only unclassified data, the information is “highly sensitive,” Senate Intelligence Committee vice chair Mark Warner said in a statement following the breach report, and “its exposure risks national security.”
The AI music startup Suno scraped millions of songs, lyrics, and podcasts from YouTube Music, Deezer, Genius, and several stock-audio libraries to train its models, according to 404 Media, which reviewed internal data provided by a hacker who breached the company. The intrusion also exposed account information for hundreds of thousands of customers, including emails, phone numbers, and Stripe payment records.
Dataset notes in source code apparently from 2023 and 2024 tally 113,879 hours of YouTube Music audio alone, plus tens of thousands more from Pond5, Deezer, and other libraries,decades of music in total. Other files show Suno routing its YouTube scraping through Bright Data proxies and using PodcastIndex to target roughly 1 million hours of podcasts. The hacker, who goes by ellie.191, says they broke in by compromising an employee with the Shai-Hulud worm.
The files seemingly corroborate the record industry’s central allegation that Suno pulled songs directly from YouTube. The company, which argues that its training qualifies as fair use and settled with Warner Music Group last November, said the breach involved outdated code and no sensitive personal information,though customers whose data appeared in a sample shared with 404 Media said they were never notified.
(Source: Wired)



