Privacy Roundup #0227 • June 2025
June 2025 brought record credential leaks, fresh spyware findings and a wave of state and court decisions that pushed surveillance deeper into everyday life.
1. Researchers find 16 billion login records exposed online
Cybernews reported thirty exposed datasets holding about 16 billion username and password pairs, most of them gathered by infostealer malware. The files covered accounts at Apple, Google, Facebook and many government services, though much of the data was recycled from older leaks.
2. Meta and Yandex caught tracking Android users through localhost
Researchers showed that Facebook, Instagram and Yandex apps quietly listened on local ports to link people's web browsing to their real identities. Meta paused the technique within days of the disclosure, even during private browsing.
3. Supreme Court upholds Texas age verification law
On 27 June the court ruled six to three that Texas may force adult websites to verify the age of every visitor. Critics warned that the decision burdens lawful speech and pushes people to hand over identity documents to access content.
4. ICE buys a tool that tracks phones across whole neighbourhoods
Documents reviewed by 404 Media showed that Immigration and Customs Enforcement bought access to commercial location data drawn from hundreds of millions of phones. An internal legal analysis stated the agency could query the data without a warrant.
5. Citizen Lab confirms Paragon spyware on journalists' phones
Forensic analysis confirmed that Paragon's Graphite spyware infected the iPhones of an Italian reporter and another European journalist through a zero click attack. Apple had patched the flaw, which it tracked as CVE-2025-43200, in iOS 18.3.1.
6. Court approves sale of 23andMe and its DNA database
A bankruptcy judge cleared the sale of 23andMe, including the genetic data of more than thirteen million customers, to a nonprofit led by founder Anne Wojcicki. More than two dozen states had sued to block the deal, arguing that genetic data is not ordinary property.
7. Cyberattack on UNFI empties Whole Foods shelves
United Natural Foods, the main distributor for Whole Foods and thousands of grocers, took systems offline after detecting an intrusion on 5 June. The outage disrupted deliveries for days and forced the company to warn of product shortages.
8. Aflac discloses breach in wave of attacks on insurers
Aflac said on 20 June that intruders had reached its United States network on 12 June and may have taken personal and health data. Investigators tied the social engineering attack to the broader campaign against American insurers.
9. EFF warns the EU encryption roadmap makes everyone less safe
The European Commission set out a plan to give police a way to read encrypted communications by 2030, part of its ProtectEU strategy. More than eighty groups and experts signed a letter saying any backdoor weakens security for all users.
10. Germany fines Vodafone 45 million euros over data failings
The federal data protection regulator imposed two fines on Vodafone on 3 June for poor oversight of sales agents and weak customer verification. The penalties followed fraud cases and security flaws in the company's online portal and hotline.
11. Predator spyware rebuilds its hidden infrastructure
Insikt Group reported on 12 June that operators of Predator spyware had expanded their network to five layers to hide its origin. The researchers also found a previously unknown customer in Mozambique, despite earlier sanctions on the makers.
12. Meta brings targeted advertisements to WhatsApp
On 16 June Meta said it would place ads in the Updates tab of WhatsApp, using data such as location, language and channels followed. Privacy groups said any advertising built on personal data is a problem, even in an encrypted app.
13. Health firm Episource reports breach affecting 5.4 million
Episource, which handles medical coding and risk work for health plans, disclosed that intruders took the records of about 5.4 million people. The stolen files included names, Social Security numbers, diagnoses and treatment details.
14. Zoomcar breach exposes 8.4 million users
The car sharing firm told the United States Securities and Exchange Commission on 17 June that an intruder had reached the data of about 8.4 million users. The exposed records held names, phone numbers, addresses and car registration details.
15. Privacy groups find data brokers skip state registration
A joint study by EFF and Privacy Rights Clearinghouse found that hundreds of data brokers registered in one state but not in others. The groups urged regulators to check whether the gaps point to widespread non compliance.
16. NSO Group appeals the 168 million dollar WhatsApp award
The spyware maker asked the court to cut the damages or grant a new trial after a jury found it liable for hacking 1,400 WhatsApp users. NSO argued it could not pay the punitive award handed down in May.
17. EFF says Flock Safety updates cannot make plate readers safe
Flock Safety promised new privacy controls for its number plate cameras after public pressure. EFF argued that the firm's national, linked surveillance network is the real problem, and no setting can fix it.
18. Ransomware attack at McLaren Health Care hits 743,000 people
The Michigan health system began notifying about 743,000 patients on 20 June about a breach traced to a 2024 ransomware attack. The stolen files held names, Social Security numbers, driving licence numbers and medical details.
19. Android 16 adds an Advanced Protection mode
Google shipped Android 16 with a single setting that gathers its strongest security and privacy tools in one place. EFF said people at higher risk, such as journalists and activists, should consider turning it on.
20. EFF publishes its 2025 Who Has Your Back report
The annual report graded twenty four companies on how well they tell users about government data requests and disclose retention policies. Nine firms, among them Apple, Adobe and Dropbox, earned a star in every category open to them.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: