Ask Runable forDesign-Driven General AI AgentTry Runable For Free
Runable
Back to Blog
Technology8 min read

Your Period Tracker Is (Probably) Spying on You | WIRED

Plus: Russian cyberspies turn to infrastructure hacking, DHS repeatedly fails to realize it’d been hacked, a breach exposes an AI music generator’s scraping...

security roundupsecuritycybersecurityprivacyrussia+2 more
Your Period Tracker Is (Probably) Spying on You | WIRED
Listen to Article
0:00
0:00
0:00

Your Period Tracker Is (Probably) Spying on You | WIRED

Overview

Security News This Week: Your Period Tracker Is (Probably) Spying on You

Hours of San Francisco Police Department drone video footage exposed on the open web illustrates a new era of incredibly granular—and consequential—urban surveillance. Meanwhile, the San Francisco City Attorney’s Office sent cease-and-desist letters to Apple and Google this week demanding that the tech giants delete 13 AI nudifying “face-swap” apps from their app stores that are almost exclusively used to target women and girls.

Details

tech giants delete 13 AI nudifying “face-swap” apps

Since WIRED first reported in June about Meta’s Name Tag face-recognition system, company executives have made opaque and conflicting comments about whether the feature even exists. We took a step back to lay out both the claims and the facts about the very real system.

In a speech on Thursday, President Donald Trump continued to push unsubstantiated and thoroughly debunked claims about interference in the 2020 US election. He even promised massive revelations in a trove of documents posted to the White House website, but the files did not prove his assertions—and in some cases actually contradicted Trump’s claims.

As adoption of AI tools rapidly expands and their capabilities increase, the tech giant Anthropic continued a push to get US states to regulate AI. Speaking about AI transparency requirements in California and New York from last year, Anthropic’s head of US state and local government relations, Cesar Fernandez, told WIRED this week, “The transparency-focused safety bills of 2025 were a really important start, but as the capabilities of AI systems continue to advance quickly—the policy responses need to match.”

Anthropic continued a push to get US states to regulate AI

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Mozilla Graded Period Trackers on Privacy. Only One Aced It

Mozilla Graded Period Trackers on Privacy. Only One Aced It

Stardust scored 2 out of 10, the worst of the group. Mozilla researcher Shoshana Wodinsky found the app pings third-party trackers from the moment it opens, before a user enters anything; the instant she logged a symptom, the details went to analytics firm Rudder Stack alongside a persistent user ID, with no in-app way to shut the sharing off. Rudder Stack is built to route data onward to destinations Mozilla couldn't observe. Stardust also hands Facebook an ad identifier that ties in-app behavior to the platform's existing profiles. The company told Tech Crunch it has never received a legal demand for user data.

Euki, a nonprofit-run tracker, earned a perfect 10: no account required, health data never leaves the phone, and users can set a PIN, schedule automatic deletion, or pull up a decoy screen if someone forces the phone open. Its one soft spot is an in-app browser for educational pages that loads the usual web trackers, but it also resets identifiers between visits.

Russia’s FSB Sanctioned for Cyberattack on Polish Infrastructure

Russia’s FSB Sanctioned for Cyberattack on Polish Infrastructure

Russia’s FSB has long had a reputation for highly sophisticated cyberespionage, leaving disruptive cyberattacks to its fellow hackers in the country’s GRU military intelligence agency. But sanctions from the EU and UK this week, along with an advisory from the US Cybersecurity and Infrastructure Security Agency, the FBI, and the NSA, pinned a cyberattack against the Polish electric grid on Center 16 of the FSB, a rare example of the Kremlin agency carrying out a cyberattack that nearly caused outages in the country’s electric and water utilities. The attack, which the Polish government has said came “very close” to causing a blackout, was initially attributed by cybersecurity firms Dragos and ESET to Sandworm, also known as Unit 74455 of the GRU, a more usual suspect in infrastructure hacking given its active role in Russia’s long-running cyberwar against Ukraine. But the Polish computer emergency response team at the time disputed that finding and tied the attack to the FSB, a conclusion now supported by a wide consensus of Western governments. The incident suggests that the FSB may be taking on some of the reckless, highly aggressive tendencies—and targeting—of its GRU coworkers.

An Alleged Russian State-Sponsored Hacker Worked for Kaspersky

An Alleged Russian State-Sponsored Hacker Worked for Kaspersky

For years, the Russian cybersecurity firm Kaspersky has been alleged to have ties to the Russian government, including by US officials who banned use of the company’s products within the US government and eventually by all American customers. Yet overt evidence of those connections has been scarce. Now Reuters reports that Denis Obrezko, a Russian man facing hacking charges in Boston and an alleged member of a hacker group known as Void Blizzard or Laundry Bear, spent two years working at Kaspersky. His stint at the company took place just before he joined another cybersecurity company, Yutek-NN, where he allegedly took part in the group’s hacking campaign that stole data and communications from numerous NATO governments and at least 11 US companies, according to US prosecutors. Prior to Kaspersky, Obrevko also allegedly worked at the FSB, neatly bookending his time at the company with apparent work for Russia’s intelligence services.

Obrevko has pleaded not guilty to the hacking charges. Kaspersky responded in a statement to Reuters that “the offenses charged cannot be related to the individual’s role or responsibilities during the employment at Kaspersky.”

A Real DHS Breach Was Twice Ruled a False Positive

In an incident that will induce anxiety in anyone responsible for assessing suspicious network activity, DHS officials ruled—twice—that signs of a hacker breach in its data-sharing Homeland Security Information Network platform were false positives when they were, in fact, signs of a very real intrusion. HSIN, used for sharing unclassified data between state, local, and federal agencies, as well as foreign partners, was breached by hackers two months ago, according to reporting from Nextgov/FCW. Analysts at the Federal Emergency Management Agency spotted signs of hacker activity in mid-May—altering files and code, hijacking a legitimate web server, and deleting logs of their behavior—but the findings were dismissed as a false positive.

In the weeks that followed, the hackers returned, were again detected, and were again dismissed as a mirage. It’s not clear why the signs of the breach were misjudged, but the incidents may represent federal analysts’ increasing challenges in detecting “living off the land” hacking techniques that use legitimate features of networks to access target assets on a network rather than planting more easily spotted malware. While the HSIN houses only unclassified data, the information is “highly sensitive,” Senate Intelligence Committee vice chair Mark Warner said in a statement following the report of the breach, and “its exposure risks national security.”

Hack Exposes an AI Music Generator’s Scraping Secrets

Hack Exposes an AI Music Generator’s Scraping Secrets

The AI music startup Suno scraped millions of songs, lyrics, and podcasts from You Tube Music, Deezer, Genius, and a string of stock-audio libraries to train its models, according to 404 Media, which reviewed internal data provided by a hacker who breached the company. The intrusion also exposed account information for hundreds of thousands of customers, including emails, phone numbers, and Stripe payment records.

Dataset notes in source code apparently from 2023 and 2024 tally 113,879 hours of You Tube Music audio alone, plus tens of thousands more from Pond 5, Deezer, and other libraries—decades of music in total. Other files show Suno routing its You Tube scraping through Bright Data proxies and using Podcast Index to target roughly 1 million hours of podcasts. The hacker, who goes by ellie.191, says they broke in by compromising an employee with the Shai-Hulud worm.

The files seemingly corroborate the record industry’s central allegation that Suno pulled songs directly from You Tube. The company, which argues that its training qualifies as fair use and settled with Warner Music Group last November, said the breach involved outdated code and no sensitive personal information—though customers whose data appeared in a sample shared with 404 Media said they were never notified.

In your inbox: Inside WIRED’s newsroom with Katie Drummond

In your inbox: Inside WIRED’s newsroom with Katie Drummond

Trump mocked Zuckerberg and Bezos by showing off fawning texts

Trump mocked Zuckerberg and Bezos by showing off fawning texts

Apple is making your older i Phone run faster and stay alive longer

Apple is making your older i Phone run faster and stay alive longer

WIRED event: Pepsi Co’s once-in-a-generation transformation

WIRED event: Pepsi Co’s once-in-a-generation transformation

Key Takeaways

  • Security News This Week: Your Period Tracker Is (Probably) Spying on You

  • Hours of San Francisco Police Department drone video footage exposed on the open web illustrates a new era of incredibly granular—and consequential—urban surveillance

  • tech giants delete 13 AI nudifying “face-swap” apps

  • Since WIRED first reported in June about Meta’s Name Tag face-recognition system, company executives have made opaque and conflicting comments about whether the feature even exists

  • In a speech on Thursday, President Donald Trump continued to push unsubstantiated and thoroughly debunked claims about interference in the 2020 US election

Cut Costs with Runable

Cost savings are based on average monthly price per user for each app.

Which apps do you use?

Apps to replace

ChatGPTChatGPT
$20 / month
LovableLovable
$25 / month
Gamma AIGamma AI
$25 / month
HiggsFieldHiggsField
$49 / month
Leonardo AILeonardo AI
$12 / month
TOTAL$131 / month

Runable price = $9 / month

Saves $122 / month

Runable can save upto $1464 per year compared to the non-enterprise price of your apps.