It may be a new year, but the hacks, scams, and dangerous people lurking online haven’t gone anywhere.
Just a day before the ball dropped, the United States Treasury Department said it had been hacked. Officials believe the attackers are an as-yet-unidentified Advanced Persistent Threat group linked to China’s government that exploited flaws in remote tech support software made by BeyondTrust to carry out what the Treasury Department described as a “major” breach. The company told the Treasury on December 8 that the attackers stole an authentication key, which ultimately allowed them to access department computers. While the Treasury says the attackers were only able to steal “certain unclassified documents,” new details have already begun to emerge, which we’ll get into more below.
Before the murder of UnitedHealthcare CEO Brian Thompson last month, gun silencers were mostly a thing you encountered in Hollywood films—or in Facebook and Instagram ads, if you looked closely. WIRED found that someone has run thousands of ads for “fuel filters” that are, in fact, meant to be used as gun silencers, which are heavily regulated by US law. Meta, which owns Facebook and Instagram, has since removed many of the ads, but new ones keep popping up. So if you see one, keep scrolling—owning an unregistered silencer could result in felony charges.
When an Amber Alert push notification pops up on your phone, getting all the information you need to help find an abducted child can literally be a matter of life and death. That’s a lesson the California Highway Patrol learned this week when it sent out an Amber Alert that linked to a post on X, which people couldn’t access unless they were signed in. While CHP says it has linked to posts on the social network since 2018 without any issues until this week, a spokesperson tells WIRED they’re “looking into it” now.
If you’ve added better privacy and security practices to your list of 2025 goals, one easy place to start is your old chat histories. You might be surprised how much sensitive information is out there, perhaps forgotten but definitely not gone.
That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Apple this week agreed to pay $95 million to settle a class action over its Siri voice assistant’s alleged eavesdropping. The lawsuit, Lopez et al v. Apple Inc., accused Apple of recording people’s conversations without their knowledge and sharing that data with third parties to serve advertisements. The issue stemmed from Siri’s voice-activation function—”Hey, Siri”—which two plaintiffs say surreptitiously captured conversations that resulted in ads for Nike shoes and the Olive Garden. One plaintiff claimed to have been served an ad for a medical treatment after having a conversation with his doctor. People who qualify as part of the class covered by the settlement, which must be approved by a federal judge in California, could receive up to $20 per device, for as many as five devices. As Reuters points out, the settlement amount is approximately nine hours of profit for Apple, which made nearly $94 billion in the last fiscal year. The company will not admit to any wrongdoing as part of the agreement.
Newly unsealed court documents revealed that the FBI allegedly discovered during a search for a single illegal firearm the “largest seizure of homemade explosives in FBI history.” According to court records, the explosives arsenal was found at the Virginia home of Brad Spafford, where investigators allegedly found more than 150 pipe bombs and other explosive devices. Prosecutors say the FBI found a backpack containing pipe bombs and adorned with a grenade-shaped patch with the hashtag #NoLivesMatter—a potential reference to a far-right extremist “accelerationist” group, The New York Times reports. While prosecutors claim that Spafford—who allegedly used a photo of US president Joe Biden for target practice—aimed to “bring back political assassinations,” his attorney contends that he is a harmless “family man” who should be granted release
Following revelations earlier this week that Chinese state-backed hackers breached the US Treasury in early December, the Washington Post reported on Wednesday that the hackers specifically targeted the Office of Foreign Assets Control. The attackers may have been looking for information about the Office’s possible plans to sanction Chinese entities. Additionally, Bloomberg reported on Thursday that the attackers targeted the computers of senior Treasury officials, where they were able to access unclassified material. Thus far, investigators have reportedly identified about 100 computers compromised by the hackers. Sources told Bloomberg, though, that the attack seems to have been more of a crime of opportunity than a clandestine, long-planned operation like China’s recent infiltration of US telecom companies.
As China’s Treasury hack comes into focus, the impact of its intrusions into American telecommunications firms is still widening. Two days after Christmas, Anne Neuberger, the White House deputy national security adviser for cyber and emerging technology, held a briefing with reporters in which she raised the count of telecoms breached by the Chinese hackers known as Salt Typhoon from eight to nine and suggested that at least some of the blame for those breaches lies with the companies’ own inadequate security. “The reality is that, from what we’re seeing regarding the level of cybersecurity implemented across the telecom sector, those networks are not as defensible as they need to be to defend against a well-resourced, capable offensive cyber actor like China,” Neuberger said. She added that the hackers had targeted the communications histories of fewer than 100 people—mostly in Washington, DC, reportedly including president-elect Donald Trump and vice president-elect JD Vance. Neuberger said that the espionage incident calls for new Federal Communications Commission cybersecurity regulations that she says might have limited the scope of the breaches had they been in place.
Cars collect and transmit as much sensitive location data as any modern digital device, and the privacy pitfalls of all that tracking are becoming all too clear. Case in point: A whistleblower warned Germany’s Chaos Computer Club and the country’s Der Spiegel news outlet that Cariad, a subsidiary of Volkswagen, left exposed online a trove of 800,000 electric vehicles’ location data. The leak included cars sold by not only Volkswagen but also other brands, including Seats, Audi, and Skoda. For Audi and Skoda, that location data was accurate only to within about six miles, but Volkswagen and Seats cars could be located to within about four inches. The exposed data has since been secured, but the incident nonetheless demonstrates how far carmakers have yet to go to rein in their data collection.
