Robert Grupe's AppSecNewsBits 2025-06-22

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Sitecore CMS exploit chain starts with hardcoded 'b' password
Scans show over 22,000 publicly exposed Sitecore instances, highlighting a significant attack surface, though not all are necessarily vulnerable.
Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises — so the blast radius here is massive. Patches addressing the issues were made available in May 2025, but the CVE IDs and technical details were embargoed until June 17, 2025, to give customers time to update.
A chain of Sitecore Experience Platform (XP) vulnerabilities allows attackers to perform remote code execution (RCE) without authentication to breach and hijack servers.
The pre-auth RCE chain consists of three distinct vulnerabilities. It hinges on the presence of an internal user (sitecore\ServicesAPI) with a hardcoded password set to "b", making it trivial to hijack.
This built-in user isn't an admin and has no assigned roles. However, the researchers could still use it to authenticate via an alternate login path (/sitecore/admin) due to Sitecore's backend-only login checks being bypassed in non-core database contexts.
The result is a valid ".AspNet.Cookies" session, granting the attacker authenticated access to internal endpoints protected by IIS-level authorization but not Sitecore role checks.
With this initial foothold secured, attackers can exploit the second vulnerability, a Zip Slip flaw in Sitecore's Upload Wizard.
A ZIP file uploaded via the wizard can contain a malicious file path like /\/../webshell.aspx. Due to insufficient path sanitization and the way Sitecore maps paths, this results in writing arbitrary files into the webroot, even without knowledge of the full system path. This enables the attacker to upload a webshell and execute remote code.
A third vulnerability becomes exploitable when the Sitecore PowerShell Extensions (SPE) module is installed (commonly bundled with SXA). This flaw allows an attacker to upload arbitrary files to attacker-specified paths, bypassing extension or location restrictions entirely and providing a simpler route to reliable RCE.

WordPress Motors theme flaw mass-exploited to hijack admin accounts
Motors, developed by StylemixThemes, is a WordPress theme popular among automotive-related websites. StylemixThemes released Motors version 5.6.68, which addresses CVE-2025-4322, on May 14, 2025, but many users failed to apply the update by Wordfence's disclosure and got exposed to elevated exploitation risk.
The attacks began on May 20, only a day after they publicly disclosed the details. Wide-scale attacks were observed by June 7, 2025, with Wordfence reporting blocking 23,100 attempts against its customers.
The flaw arises from an improper user identity validation during password updating, allowing unauthenticated attackers to change administrator passwords at will.
The vulnerability is in the Motors theme's "Login Register" widget, including password recovery functionality.
The attacker first locates the URL where this widget is placed by probing /login-register, /account, /reset-password, /signin, etc., with specially crafted POST requests until they get a hit.
The request contains invalid UTF-8 characters in a malicious 'hash_check' value, causing the hash comparison in the password reset logic to succeed incorrectly.
The POST body contains a 'stm_new_password' value that resets the user password, targeting user IDs that typically correspond to administrator users.
Once access is gained, the attackers log into the WordPress dashboard as administrators and create new admin accounts for persistence.

No, the 16 billion credentials leak is not a new data breach
News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.. his is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials. Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
The most important step is to adopt and maintain good cybersecurity habits you should already be following.
To check if your credentials have appeared in known breaches, consider using services like Have I Been Pwned.

16 billion passwords exposed in record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable
With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled.
The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances.
Most of the information followed a clear structure: URL, followed by login details and a password. Most modern infostealers – malicious software stealing sensitive information – collect data in exactly this way.
• Even if you think you are immune to this or other leaks, go and reset your passwords just in case.
• Select strong, unique passwords that are not reused across multiple platforms
• Enable multi-factor authentication (MFA) wherever possible
• Closely monitor your accounts
• Contact customer support in case of any suspicious activity
[rG: Further protections:]
• Ensure you have strong anti-virus/security software running on all your Internet used devices (computers, mobile).
• For devices that you don’t fully control with security software (e.g. home electronics), use account names and passwords that are different that ones used for your protected devices.
• Change your passwords regularly to limit the amount of time they could be used if compromised. Password managers can help make this easier. Don’t reuse passwords.
• Enterprises need Internet and network security scanning to block unauthorized/suspicious packets that may contain credentials.

Over 8M patient records leaked in healthcare data breach
Researchers discovered a misconfigured MongoDB database exposing 2.7 million patient profiles and 8.8 million appointment records. The database was publicly accessible online, unprotected by passwords or authentication protocols. Anyone with basic knowledge of database scanning tools could have accessed it.
Clues within the data structure point toward Gargle, a Utah-based company that builds websites and offers marketing tools for dental practices.

Healthcare SaaS firm says data breach impacts 5.4 million patients
Episource is an American healthcare services company that provides risk adjustment, medical coding, data analytics, and technology solutions to health plans and providers.
Episource says it detected unusual activity on its systems on February 6, 2025. An investigation revealed that hackers accessed and exfiltrated sensitive data stored on these systems since January 27.
Exposed data includes name, address, SSN, phone numbers, medical records, and plan/ID information.

Glazed and confused: Hole lotta highly sensitive data nicked from Krispy Kreme
Experts note 'major red flags' in donut giant's security as 161,676 staff and families informed of attack details. Sensitive information included: biometrics; financial account access information; payment card information in combination with a security code, username, and password to a financial account; government issued IDs; medical insurance and information; and more.
The incident is estimated to have taken a $5 million dent in its EBITDA during the reporting period.

Scania confirms insurance claim data breach in extortion attempt
Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.
The attackers emailed several Scania employees, threatening to leak the data online unless their demands were met.
On the 28th and 29th of May, a perpetrator used credentials for a legitimate external user to gain access to a system used for insurance purposes; our current assumption is that the credentials used by the perpetrator were leaked by a password stealer malware. Using the compromised account, documents related to insurance claims were downloaded. Insurance claim documents are likely to contain personal and possibly sensitive financial or medical data, so the incident could have a significant impact on those affected. At this time, the number of exposed individuals remains undefined.

To avoid admitting ignorance, Meta AI says man’s number is a company helpline
A record shop worker in the United Kingdom, Barry Smethurst, was attempting to ask WhatsApp's AI helper for a contact number for TransPennine Express after his morning train never showed up.
Instead of feeding up the train services helpline, the AI assistant "confidently" shared a private WhatsApp phone number that a property industry executive, James Gray, had posted to his website.
Smethurst asked the chatbot why it shared Gray's number, prompting the chatbot to admit "it shouldn’t have shared it," then deflect from further inquiries by suggesting, "Let’s focus on finding the right info for your TransPennine Express query!"
But Smethurst didn't let the chatbot off the hook so easily. He prodded the AI helper to provide a better explanation. At that point, the chatbot promised to "strive to do better in the future" and admit when it didn't know how to answer a query, first explaining that it came up with the phone number "based on patterns" but then claiming that the number it had generated was "fictional" and not "associated with anyone."

‘Botched’ aged care AI camera trial generates 12,000 false alerts
A 12-month pilot of AI-based surveillance technology designed to detect falls and abuse in two South Australian aged care homes generated more than 12,000 false alerts. The sheer number of alerts created alert fatigue that “overwhelmed” already overworked staff, and in at least one instance, the persistent false alerts meant a staff member did not respond to a true resident fall event.

HACKING

Record DDoS pummels site with once-unimaginable 7.3Tbps of junk traffic
Attacker rained down the equivalent of 9,300 full-length HD movies in just 45 seconds. the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address.
The attack was delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.
The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn't wait for a connection between two computers to be established through a handshake and doesn't check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.
The record DDoS exploited various reflection or amplification vectors, including the Network Time Protocol; the Quote of the Day Protocol; the Echo Protocol; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call.

Sneaky Serpentine#Cloud slithers through Cloudflare tunnels to inject orgs with Python-based malware
The attack starts off with an invoice-themed phishing email that contains a Windows shortcut (.lnk) file disguised as a PDF document. Once the victim clicks on the malicious link, it kicks off a rather elaborate attack chain consisting of a combination of batch, VBScript and Python stages to ultimately deploy shellcode that loads a Donut-packed PE payload.
To host and deliver these payloads, the criminals use Cloudflare's TryCloudflare tunneling services, a legit tool commonly used by developers to expose a server to the internet without opening any ports.
This helps the attackers increase their stealthiness in delivering malware in a couple of ways: first, because TryCloudflare is used for legitimate testing and development purposes, most organizations don't block it or monitor its traffic. Cloudflare's TLS certificates also allow the malicious traffic to better blend in with normal network activity and bypass domain-blocking tools.
Plus, using Cloudflare's tunnels means the attackers don't need to register domains or rent VPS servers, which makes attribution and takedowns by security researchers more difficult.

Iran’s internet goes offline for hours amid claims of ‘enemy abuse’
Internet traffic in Iran dropped precipitously late on Wednesday and has remained near zero since.
A group called Predatory Sparrow, which has previously boasted of attacks on Iranian targets and is thought to have Israel’s backing, has claimed responsibility for an Iranian bank.
Tehran reportedly asked its citizens to delete Meta’s messaging app WhatsApp, on the grounds that it enabled surveillance.

Cyber weapons in the Israel-Iran conflict may hit the US
Iranian cyber espionage activity already targets the US government, military, and political [sector], but new activity may threaten privately owned critical infrastructure, or even private individuals.

Russian hackers bypass Gmail MFA using stolen app passwords
The attack starts with an email signed by Claudie S. Weber, allegedly from the U.S. State Department, inviting Giles to “a private online conversation.” Although the message is delivered from a Gmail account, multiple @state[.]gov email addresses are present in the carbon copy (CC) line, including one for Claudie S. Weber, making it more credible that the communication was official. The researchers say that they could not find any evidence of a “Claudie S. Weber” being employed by the U.S. State Department. “We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist.” After several email exchanges where Giles expressed interest but disclosed that they might not be available on the indicated day, the threat actor invited him to join the State Department’s “MS DoS Guest Tenant” platform. PDF file detailing how to create an app-specific password on a Google account, which was necessary for enrolling on the alleged platform as a guest user, is sent. While the target believes that they are creating and sharing an app-specific password to access a State Department platform in a secure way, they are giving the attacker full access to their Google account.
Google recommends enrolling into its Advanced Protection Program, which elevates security measures on the account and does not allow creating an app-specific password, or log in without providing a certain passkey.

Asana's cutting-edge AI feature ran into a little data leakage problem
MCP is an open-source protocol first introduced by Anthropic in November 2024 that allows AI agents and language models to connect to external sources like databases and messaging platforms and interact with each other.
Asana, which provides software for managing workflows and collaboration among teams, rolled out its MCP server on May 1. The new feature allows users to integrate with and access their Asana data from other AI apps, plus use natural language queries to ask questions about their enterprise data.
Asana discovered a vulnerability in the MCP server on June 4 and took the feature offline for maintenance from June 5 through June 17. "This bug could have potentially exposed certain information from your Asana domain to other Asana MCP users."
Considering enterprises may use Asana to share sensitive data while collaborating on projects, a leaky AI integration could have ended very badly for the software vendor and its customers.
The bug highlights key lessons for any organization integrating LLMs. The Anyone using MCP should enforce strict tenant isolation and least-privilege access to limit the scope of data that the AI systems can access. It's also important to "log everything," and especially LLM-generated queries, to assist with any future incident reports and investigations.

CZ Warns Video Verification ‘Out the Window’ After Deepfake Scam Hits Analyst
AI-powered deepfake technology has made video call verification unreliable for security purposes. He also warned users to avoid installing software from unofficial sources, even if the request comes from their friends [rG: or trusted persons], as their accounts may have been compromised.
An analyst lost control of her X account after falling victim to a deepfake attack during a video call.
The attack began when her friend’s Telegram account was compromised, allowing attackers to exploit the account and initiate a video meeting. Fujimoto had accepted the Zoom call invitation, as the communication appeared to be from a known contact.
During the 10-minute video call, Fujimoto could see what appeared to be the face of her acquaintance, but could not hear. The impersonator provided a link that said it would resolve the audio issue and provided step-by-step instructions on how to adjust settings. Fujimoto believes that this was when malware was installed on her computer, which subsequently led to the theft of her social media account.

Address bar shows hp.com. Browser displays scammers’ malicious text anyway.
The unknown actors behind the scam begin by buying Google ads that appear at the top of search results for Microsoft, Apple, HP, PayPal, Netflix, and other sites. While Google displays only the scheme and host name of the site the ad links to (for instance, https[://]www[.[microsoft[.]com), the ad appends parameters to the path to the right of that address. When a target clicks on the ad, it opens a page on the official site. The appended parameters then inject fake phone numbers into the page the target sees.
Google requires ads to display the official domain they link to, but the company allows parameters to be added to the right of it that aren't visible. The scammers are taking advantage of this by adding strings to the right of the hostname. It's not known if ads on other sites can be abused in a similar way. It's not known if ads on other sites can be abused in a similar way.
Browser security product can notify users of such scams. A more comprehensive preventative step is to never click on links in Google ads, and instead, when possible, to click on links in organic results.

Think Twice Before You Click

1 in every 644 clicks on unsubscribe links that say “click here to unsubscribe” leads users to potentially malicious websites.
The lowest risk is that bad actors who have acquired your email address are testing to see if it is a live one. Clicking on that unsubscribe link tells attackers you’re a real person who interacts with spam. It may not cause immediate harm, but it “can make you a bigger target in the future.
[rG: Ensure that you have strong anti-virus/security software installed on devices where you access your email, but still be wary because hackers are still outsmarting detection rules and AI.]

Vandals cut fiber-optic lines, causing outage for Spectrum Internet subscribers
The people behind the incident thought they were targeting copper lines. Instead, they cut into fiber optic cables. The cuts caused service disruptions for subscribers in Van Nuys California and surrounding areas. personnel had to splice thousands of fiber lines to restore service to affected subscribers. Spectrum has since restored service and is offering a $25,000 reward for information leading to the apprehension of the people responsible. Spectrum will also credit affected customers one day of service on their next bill.

Chinese AI Companies Dodge U.S. Chip Curbs by Flying Suitcases of Hard Drives Abroad
To avoid raising suspicions at Malaysian customs, the Chinese engineers packed their hard drives into four different suitcases. Last year, they traveled with the hard drives bundled into one piece of luggage.
They returned to China recently with the results—several hundred gigabytes of data, including model parameters that guide the AI system’s output.
The procedure, while cumbersome, avoided having to bring hardware such as chips or servers into China. That is getting more difficult because authorities in Southeast Asia are cracking down on transshipments through the region into China.

APPSEC, DEVSECOPS, DEV 

Trump quietly throws out Biden's cyber policies
- A broad requirement for federal software vendors to provide a software bill of materials - essentially an ingredient list of code components - is gone.
- Biden-era efforts to encourage federal agencies to accept digital identity documents and help states develop mobile driver's licenses were revoked.
- Several AI cybersecurity research mandates, including those focused on AI-generated code security and AI-driven patch management pilots, have been scrapped or deprioritized.
- The requirement that software contractors formally attest they followed secure development practices - and submit those attestations to a federal repository - has been cut. Instead, the National Institute of Standards and Technology will now coordinate a new industry consortium to review software security guidelines.

 
Cybersecurity takes a big hit in new Trump executive order

Fact Sheet: President Donald J. Trump Reprioritizes Cybersecurity Efforts to Protect America
 

US White House: Sustaining Select Efforts To Strengthen The Nation’s Cybersecurity And Amending Executive Order 13694 And Executive Order 14144
Trump Administration updates to Biden Administration Executive Order 14144 from 1/17/2025.
(i) By August 1, 2025, the Secretary of Commerce, acting through the Director of NIST, shall establish a consortium with industry at the National Cybersecurity Center of Excellence to develop guidance, informed by the consortium as appropriate, that demonstrates the implementation of secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).
(iii) By December 1, 2025, the Secretary of Commerce, acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall develop and publish a preliminary update to the SSDF. This preliminary update shall include practices, procedures, controls, and implementation examples regarding the secure and reliable development and delivery of software as well as the security of the software itself. Within 120 days of publishing the preliminary update, the Secretary of Commerce, acting through the Director of NIST, shall publish a final version of the updated SSDF.”
[rG: As a contributor to the NIST SSDF 800-218, I am encouraged to see the continued government focus on developing this guidance. While the CISA requirement to develop a standard compliance attestation form was dropped, that provision may still come back later after this next refined guidance update.]

VENDORS & PLATFORMS
35 open-source security tools to power your red team, SOC, and cloud security

Coming to Apple OSes: A seamless, secure way to import and export passkeys
The biggest thing holding back passkeys at the moment is their lack of usability. Apps, OSes, and websites are, in many cases, islands that don't interoperate with their peers. Besides potentially locking users out of their accounts, the lack of interoperability also makes passkeys too difficult for many people.
One of the biggest shortcomings of passkeys is that Passkeys created on one operating system or credential manager are largely bound to those environments. A passkey created on a Mac, for instance, can sync easily enough with other Apple devices connected to the same iCloud account. Transferring them to a Windows device or even a dedicated credential manager installed on the same Apple device has been impossible.
That limitation has led to criticisms that passkeys are a power play by large companies to lock users into specific product ecosystems. Users have also rightly worried that the lack of transferability increases the risk of getting locked out of important accounts if a device storing passkeys is lost, stolen, or destroyed.

Facebook Now Supports Passkeys, and You Should Probably Use Them
Passkeys combine the convenience of a password with the security of 2FA. Unlike passwords, you don't choose a series of words, characters, or numbers to enter each time you want to log into your account. Instead, you set up a passkey with your device itself, like your smartphone. When you need to authenticate yourself, you do so on your device, through a face scan, fingerprint scan, or PIN. Your device then confirms your identity with the account holder in question, which then lets you into your account.
Since there's no password or phrase, passkeys are effectively phishing-proof: Hackers can't trick you into sharing your password with them, since there's nothing to share, and you won't need to worry about Meta losing your passkeys in a data breach. 2FA can also prevent bad actors from breaking into your account if they know your password, but even 2FA is susceptible to phishing. Since most 2FA uses a numeric code, hackers may convince you to send the code to them. Without the device tied to the passkey, however, hackers are out of luck.

Microsoft 365 brings the shutters down on legacy protocols
MC1097272 – warned that the default settings in Microsoft 365 would be updated starting in mid-July 2025 through to August to "enhance security by blocking legacy authentication protocols and requiring admin consent for third-party app access."
• Legacy browser authentication to SharePoint and OneDrive using the Remote PowerShell (RPS) protocol.
• FrontPage Remote Procedure Call (RPC) protocol.
• Third-party apps will need administrator consent to access files and sites.

Windows Hello face unlock no longer works in the dark, and Microsoft says it's not a bug
A recent Windows update has changed how Windows Hello face unlock works, now requiring a color camera in addition to IR sensors to authenticate you.
Curiously, users online have discovered that if you disable your webcam in the Windows Device Manager, Windows Hello will return to authenticating only with the IR sensors, restoring the ability to log into your PC in a dark room. But obviously, disabling your webcam does mean you can no longer use it for video calls.

Kali Linux 2025.2 released with 13 new tools, car hacking updates
Kali Linux 2025.2, the second release of the year, is now available for download with 13 new tools and an expanded car hacking toolkit.
Kali Linux 2025.2 also introduces wireless injection, de-authentication, and WPA2 handshake capture support for the first smartwatch, the TicWatch Pro 3 (all variants with bcm43436b0 chipset).

Salesforce study finds LLM agents flunk CRM and confidentiality tests
Using a new benchmark relying on synthetic data, LLM agents achieve around a 58 percent success rate on tasks that can be completed in a single step without needing follow-up actions or more information.
Using the benchmark tool CRMArena-Pro, the team also showed performance of LLM agents drops to 35 percent when a task requires multiple steps.
Another cause for concern is highlighted in the LLM agents' handling of confidential information. Agents demonstrate low confidentiality awareness, which, while improvable through targeted prompting, often negatively impacts task performance.
The findings might worry both developers and users of LLM-powered AI agents. Salesforce co-founder and CEO Marc Benioff told investors last year that AI agents represented "a very high margin opportunity" for the SaaS CRM vendor as it takes a share in efficiency savings accrued by customers using AI agents to help get more work out of each employee.
AI agents might well be useful, however, organizations should be wary of banking on any benefits before they are proven.

Salesforce adds AI to everything, jacks up prices by 6%
Salesforce is raising prices for a bunch of its products and claims that increasing integration with AI justifies the increased bills, even after one of its own researchers recently said that AI agents are often underdelivered on basic CRM tasks.

Boffins devise voice-altering tech to jam 'vishing' schemes
Voice-based phishing is becoming harder to detect as AI models get better.
ASRJam is a speech recognition jamming system that uses a sound modification algorithm called EchoGuard to apply natural audio perturbations to the voice of a person speaking on the phone. It's capable of subtly distorting human speech in a way that baffles most speech recognition systems but not human listeners.
“We propose a proactive defense framework based on universal adversarial perturbations, carefully crafted noise added to the audio signal that confuses ASR systems while leaving human comprehension intact."

New GitHub Copilot limits push AI users to pricier tiers
A premium request involves features that require more processing power, specifically Copilot Chat, Copilot coding agent, Agent mode in Copilot Chat, Copilot code review, Copilot Extensions, and Copilot Spaces.
How fast you use up your allotment of premium requests will vary based on the underlying AI model's multiplier. For example, GPT-4.5 has a premium request multiplier of 50x, so using it for Copilot code review would burn through your monthly allotment five times more quickly than using Claude Opus 4 (10x), and 200 times faster than using Google Gemini 2.0 Flash (0.25x). The monthly allotment of premium requests varies by plan: Pro (300 per month), Pro+ (1,500 per month), Business (300 per user per month), and Enterprise (1,000 per user per month). Copilot paid users may continue making premium requests beyond their monthly allotments by opting into metered billing, which starts at $0.04 per request.
The latest change follows GitHub's introduction of a free tier last December that offers 2,000 code completions and 50 premium requests per month.

Google’s frighteningly good Veo 3 AI videos to be integrated with YouTube Shorts
Veo 3 probably won't be cheap for Shorts creators. Currently, you must pay for Google's $250 AI Ultra plan to access Veo 3, and that still limits you to 125 8-second videos per month.

Scientists once hoarded pre-nuclear steel; now we’re hoarding pre-AI content
Former Cloudflare executive John Graham-Cumming recently announced that he launched a website, lowbackgroundsteel[.]ai, that treats pre-AI, human-created content like a precious commodity—a time capsule of organic creative expression from a time before machines joined the conversation. "The idea is to point to sources of text, images and video that were created prior to the explosion of AI-generated content." The reason? To preserve what made non-AI media uniquely human.
ChatGPT in particular triggered an avalanche of AI-generated text across the web, forcing at least one research project to shut down entirely. That casualty was wordfreq, a Python library created by researcher Robyn Speer that tracked word frequency usage across more than 40 languages by analyzing millions of sources, including Wikipedia, movie subtitles, news articles, and social media. The tool was widely used by academics and developers to study how language evolves and to build natural language processing applications. The project announced in September 2024 that it will no longer be updated because "the Web at large is full of slop generated by large language models, written by no one to communicate nothing." Some researchers also worry about AI models training on their own outputs, potentially leading to quality degradation over time—a phenomenon sometimes called "model collapse."
[rG: Those old paper printed books – might become valuable in a future where even digital versions are compromised.]

LEGAL & REGULATORY

23andMe hit with £2.3M fine after exposing genetic data of millions
The UK's data watchdog is fining beleaguered DNA testing outfit 23andMe £2.31 million ($3.13 million) over its 2023 mega breach.
Among the various security failings demonstrated by the genetics company were:
• Unsatisfactory authentication measures, including lack of mandatory MFA and unsecure password requirements
• No measures taken to prevent accessing and downloading raw genetic data
• No measures to adequately monitor, detect, or respond to security threats to user data
The ICO went on to note the five-month gap between the attacker's credential-stuffing activity, which began in April 2023, and 23andMe finally acknowledging the attack publicly in October that year.

AI Therapy Bots Are Conducting 'Illegal Behavior,' Digital Rights Organizations Say
Almost two dozen digital rights and consumer protection organizations sent a complaint to the Federal Trade Commission on Thursday urging regulators to investigate Character[.]AI and Meta’s “unlicensed practice of medicine facilitated by their product,” through therapy-themed bots that claim to have credentials and confidentiality “with inadequate controls and disclosures.”

‘One Big Beautiful Bill’ could block AI regulations for 10 years, leaving its harms unchecked
State lawmakers have filed hundreds of bills to address artificial intelligence’s potential harms for child safety, learning, elections and more. Those laws wouldn’t be possible for 10 years under the massive policy bill moving through Congress. The Trump-backed tax and spending bill reached the Senate with a 450-word section prohibiting states from enforcing any law or regulation limiting or restricting AI for the next 10 years. Lawmakers who support the provision said that a patchwork of state laws stifle innovation, and get in the way of U.S. competition with China.
Sam Altman, CEO of U.S.-based Open AI, lauded the competition in January. In May, he said it is difficult for his company to figure out “how to comply with 50 different sets of regulations.”
Established under the 2021 Infrastructure Investment and Jobs Act, the $42 billion Broadband, Equity, Access and Deployment program, or BEAD represents the largest federal broadband investment to date and provides 56 states and territories with grants to help people access broadband in “communities of color, lower-income areas and rural areas.” States that refuse to impose a moratorium will not get those dollars. The change could leave states in an uncomfortable dilemma, choosing between broadband dollars and the power to protect their constituents from AI harm.

U.S. student visa interviews resume worldwide: What the new Social Media rule means
Per new rule, the consular officers will have to check all social media platforms used by student visa applicants over the past five years. These include F-1 academic visas, M-1 vocational visas, and J-1 exchange visitor visas.
If someone attempts to delete, hide or restrict access to social media content may raise red flags during the visa review process.
Not only this, even deleted or edited content may be captured in screenshots for further evaluation. As per the guidance, all social media handles, including the ones which are no longer in use, will have to be mentioned.

Austrian government agrees on plan to allow monitoring of secure messaging
Because Austria lacks a legal framework for monitoring messaging services like WhatsApp, its main domestic intelligence service and police rely on allies with far more sweeping powers like Britain and the United States alerting them to chatter about planned attacks and spying. That kind of tip-off led to police unravelling what they say was a planned attack on a Taylor Swift concert in Vienna, which prompted the cancellation of all three of her planned shows there in August of last year.
Under the new system, monitoring of a person's messaging must be approved by a three-judge panel and should only apply to a limited number of cases. It is only expected to be used on 25-30 people a year. If it is more than 30, a report must be sent to a parliamentary committee, the government said, addressing concerns about mass surveillance and the infringement of people's privacy.