Boris Johnson's former adviser claims that China infiltrated a key UK government data-transfer network for years, compromising highly classified materials and prompting a Whitehall cover-up that prioritized Chinese investment over national security. The Times reports: Dominic Cummings, who served as a senior adviser to Boris Johnson, said that he and the then prime minister were informed about the breach in 2020 but that there had subsequently been a cover-up. He said he was warned at the time that disclosing some specific details of the breach would be a criminal offence. He claimed that the breach included some "Strap" material, which is the government term for the highest level of classified information.

The breach, which was confirmed by two other senior Whitehall sources, was said to have been connected to a Chinese-owned company involved in Britain's critical national infrastructure. Tom Tugendhat, a former Tory security minister, supported Cummings's account. Cummings said that he and Johnson were informed of the breach in the "bunker" of No 10 -- a reference to the secure room in Downing Street.

He told The Times: "The cabinet secretary said, 'We have to explain something; there's been a serious problem', and he talked through what this was. "And it was so bizarre that, not just Boris, a few people in the room were looking around like this -- 'Am I somehow misunderstanding what he's saying? Because it sounds f***ing crazy.'" He added: "What I'm saying is that some Strap stuff was compromised and vast amounts of data classified as extremely secret and extremely dangerous for any foreign entity to control was compromised. "Material from intelligence services. Material from the National Security Secretariat in the Cabinet Office. Things the government has to keep secret. If they're not secret, then there are very, very serious implications for it."

Longtime Slashdot reader Gadi Evron writes: Bruce Schneier and Barath Raghavan say agentic AI is already broken at the core. In their IEEE Security & Privacy essay, they argue that AI agents run on untrusted data, use unverified tools, and make decisions in hostile environments. Every part of the OODA loop (observe, orient, decide, act) is open to attack. Prompt injection, data poisoning, and tool misuse corrupt the system from the inside. The model's strength, treating all input as equal, also makes it exploitable. They call this the AI security trilemma: fast, smart, or secure. Pick two. Integrity isn't a feature you bolt on later. It has to be built in from the start. "Computer security has evolved over the decades," the authors wrote. "We addressed availability despite failures through replication and decentralization. We addressed confidentiality despite breaches using authenticated encryption. Now we need to address integrity despite corruption."

"Trustworthy AI agents require integrity because we can't build reliable systems on unreliable foundations. The question isn't whether we can add integrity to AI but whether the architecture permits integrity at all."

An anonymous reader shares a report: An attorney in a New York Supreme Court commercial case got caught using AI in his filings, and then got caught using AI again in the brief where he had to explain why he used AI, according to court documents filed earlier this month.

New York Supreme Court Judge Joel Cohen wrote in a decision granting the plaintiff's attorneys' request for sanctions that the defendant's counsel, Michael Fourte's law offices, not only submitted AI-hallucinated citations and quotations in the summary judgment brief that led to the filing of the plaintiff's motion for sanctions, but also included "multiple new AI-hallucinated citations and quotations" in the process of opposing the motion.

"In other words," the judge wrote, "counsel relied upon unvetted AI -- in his telling, via inadequately supervised colleagues -- to defend his use of unvetted AI."

The case itself centers on a dispute between family members and a defaulted loan. The details of the case involve a fairly run-of-the-mill domestic money beef, but Fourte's office allegedly using AI that generated fake citations, and then inserting nonexistent citations into the opposition brief, has become the bigger story.

Researchers at UC San Diego and the University of Maryland have found that roughly half of geostationary satellite signals transmit sensitive data without encryption. The team spent three years using an $800 satellite receiver on a university rooftop in San Diego to intercept communications from satellites visible from their location. They collected phone calls and text messages from more than 2,700 T-Mobile users in just nine hours of recording.

The researchers also obtained data from airline passengers using in-flight Wi-Fi, communications from electric utilities and offshore oil and gas platforms, and US and Mexican military communications that revealed personnel locations and equipment details. The exposed data resulted from telecommunications companies using satellites to relay signals from remote cell towers to their core networks.

The researchers examined only about 15% of global satellite transponder communications and presented their findings at an Association for Computing Machinery conference in Taiwan this week. Most companies warned by the researchers have encrypted their satellite transmissions, but some US critical infrastructure owners have not yet added encryption.

schwit1 shares a report from Hackread: On October 3, 2025, Hackread.com published an in-depth report in which hackers claimed to have stolen 989 million records from 39 major companies worldwide by exploiting a Salesforce vulnerability. The group demanded that Salesforce and the affected firms enter negotiations before October 10, 2025, warning that if their demands were ignored, they would release the entire dataset. The hackers, identifying themselves as "Scattered Lapsus$ Hunters," a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters, have now published data allegedly belonging to 6 of the 39 targeted companies.

The companies named in the leak are as follows: Fujifilm, GAP, INC., Vietnam Airlines, Engie Resources, Quantas Airways Limited, and Albertsons Companies, Inc. In all 6 leaks, the record contains personal details of customers, business, including email addresses, full names, addresses, passport numbers, phone numbers. The hackers said on Telegram that they will not be releasing any additional information, stating, "A lot of people are asking what else will be leaked. Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak, and obviously, the things we have cannot be leaked for obvious reasons."

An anonymous reader quotes a report from The Register: Security researchers have resurrected a 12-year-old data-stealing attack on web browsers to pilfer sensitive info from Android devices. The attack, dubbed Pixnapping, has yet to be mitigated. Conceptually, it's the equivalent of a malicious Android app being able to screenshot other apps or websites. It allows a malicious Android application to access and leak information displayed in other Android apps or on websites. It can, for example, steal data displayed in apps like Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). It can even steal 2FA codes from Google Authenticator.

"First, the malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering," explained [Alan Wang, a PhD candidate at UC Berkeley]. "Second, the malicious app picks the coordinates of a target pixel whose color it wants to steal. Suppose for example it wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator, and that this pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Third, the malicious app causes some graphical operations whose rendering time is long if the target pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the target app. Finally, the malicious app measures the rendering time per frame of the above graphical operations to determine whether the target pixel was white or non-white. These last few steps are repeated for as many pixels as needed to run OCR over the recovered pixels and guess the original content."

The researchers have demonstrated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Android 16 is the latest operating system version. Other Android devices have not been tested, but the mechanism that allows the attack to work is typically available. A malicious Android app implementing Pixnapping would not require any special permissions in its manifest file, the authors say. The researchers detail the attack in a paper (PDF) titled "Pixnapping: Bringing Pixel Stealing out of the Stone Age."

The FCC has forced major U.S. online retailers to remove millions of listings for prohibited Chinese-made electronics, including products from Huawei, ZTE, Hikvision, and Dahua, citing national security risks. Reuters reports: FCC Chair Brendan Carr said in an interview [on Friday] that the items removed are either on a U.S. list of barred equipment or were not authorized by the agency, including items like home security cameras and smart watches from companies including Huawei, Hangzhou Hikvision, ZTE, and Dahua Technology Company. Carr said companies are putting new processes in place to prevent future prohibited items as a result of FCC oversight. "We're going to keep our efforts up," Carr said. The FCC issued a new national security notice reminding companies of prohibited items including video surveillance equipment. Carr said the items could allow China to "surveil Americans, disrupt communications networks and otherwise threaten U.S. national security."

An anonymous reader quotes a report from Reuters: Britain said on Monday it had issued U.S. internet forum site 4chan with a $26,644 fine for failing to provide information about the risk of illegal content on its service, marking the first penalty under the new online safety regime. Media regulator Ofcom said 4chan had not responded to its request for a copy of its illegal harms risk assessment nor a second request relating to its qualifying worldwide. Ofcom said it would take action against any service which "flagrantly fails to engage with Ofcom and their duties under the Online Safety Act" and they should expect to face penalties.

The act, which is designed to protect children and vulnerable users from illegal content online, has caused tension between U.S. tech companies and Britain. Critics of the law have said it threatens free speech and targets U.S. companies. Technology minister Liz Kendall said the government "fully backed" Ofcom in taking action. "This fine is a clear warning to those who fail to remove illegal content or protect children from harmful material," she said. 4chan and Kiwi Farms filed a lawsuit in the United States against Ofcom in August, arguing that the threats and fines issued by the regulator "constitute foreign judgements that would restrict speech under U.S. law." The lawsuit claims that both entities are entirely based in the U.S., have no operations in the U.K., and therefore are not subject to its local laws.

"Dutch authorities have temporarily nationalized Nexperia, owned by Chinese company Wingtech, over fears of critical product unavailability," writes longtime Slashdot reader evil_aaronm. Reuters reports: The Hague invoked never-before-used powers under a Dutch law known as the "Availability of Goods Act." The decision led to a 10% fall in Wingtech's shares in Shanghai on Monday. The Dutch government will not take ownership of Nexperia, but it will now have the power to reverse or block management decisions it considers harmful. The company's regular production is continuing. [...] Wingtech called the Dutch government's intervention in Nexperia, once part of Dutch electronics group Philips, "excessive interference driven by geopolitical bias." Wingtech also alleged that non-Chinese Nexperia executives had tried to forcibly alter the company's equity structure through legal proceedings in a "cloaked power grab" on the company.

A copy of an Amsterdam commercial court ruling dated October 7 and seen by Reuters showed that the court decided on October 1 to suspend Wingtech CEO Zhang Xuezheng from his position as executive director at Nexperia after finding "well founded reasons to doubt" the company was pursuing correct management policy or actions under Dutch civil law. It appointed Dutch businessman Guido Dierick to take Zhang's position with a "deciding vote", and transferred control of almost all of Nexperia's shares to a Dutch lawyer for management. The Dutch state and the company's labour council had supported the moves, the document showed. [...]

In its statement, the Dutch government said that administrative problems at Nexperia posed a threat to the company's "crucial technological knowledge" without elaborating. "The loss of these capabilities could pose a risk to Dutch and European economic security," it said. Nexperia is one of the world's largest makers of simple computer chips such as diodes and transistors, though it also develops more advanced technologies such as "wide gap" semiconductors used in electrical settings and useful for electric cars, chargers and AI data centres. Wingtech said in a filing to the Shanghai stock exchange on Monday that its control over Nexperia would be temporarily restricted due to the Dutch order and court rulings, affecting decision making and operational efficiency.

California's Privacy Protection Agency "issued a record fine earlier this month to Tractor Supply," according to an EFF Deeplinks blog post — for "apparently ducking its responsibilities under the California Consumer Privacy Act." Under that law, companies are required to respect California customers' and job applicants' rights to know, delete, and correct information that businesses collect about them, and to opt-out of some types of sharing and use. The law also requires companies to give notice of these rights, along with other information, to customers, job applicants, and others. The CPPA said that Tractor Supply failed several of these requirements. This is the first time the agency has enforced this data privacy law to protect job applicants...

Tractor Supply, which has 2,500 stores in 49 states, will pay for their actions to the tune of $1,350,000 — the largest fine the agency has issued to date. Specifically, the agency said, Tractor Supply violated the law by:

- Failing to maintain a privacy policy that notified consumers of their rights;

- Failing to notify California job applicants of their privacy rights and how to exercise them;

- Failing to provide consumers with an effective mechanism to opt-out of the selling and sharing of their personal information, including through opt-out preference signals such as Global Privacy Control; and

- Disclosing personal information to other companies without entering into contracts that contain privacy protections.


In addition to the fine, the company also must take an inventory of its digital properties and tracking technologies and will have to certify its compliance with the California privacy law for the next four years.
The agency's web site says it "continues to actively enforce California's cutting-edge privacy laws." It's recently issued decisions (and fines) against American Honda Motor Company and clothing retailer Todd Snyder. Other recent actions include:

• Securing a settlement agreement requiring data broker Background Alert — which promoted its ability to dig up "scary" amounts of information about people — to shut down or pay a steep fine.

• Launching the bipartisan Consortium of Privacy Regulators to collaborate with states across the country to implement and enforce privacy laws nationwide.

• Partnering with the data protection authorities in Korea, France, and the United Kingdom to share information and advance privacy protections for Californians.

• The agency has secured more than half a dozen successful enforcement actions against unregistered data brokers following an investigative sweep launched late last year to assess compliance with the Delete Act.

Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards.

Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")

"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...

[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]

What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."

He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."

Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

"California Governor Gavin Newsom signed the 'California Opt Me Out Act', which will require web browsers to include an easy, universal way for users to opt out of data collection and sales," reports the blog 9to5Mac: [The law] requires browsers to provide a clear, one-click mechanism for Californians to opt out of data sharing across websites. The bill reads: "A business shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser...." Californians will need patience, though, as the law doesn't take effect until January 1, 2027.
Americans in some states — including California, Texas, Colorado, New Jersey and Maryland — "have the option to make those opt-out demands automatic whenever they surf the web," reports the Washington Post. "But they can only do so if they use small browsers that voluntarily offer that option, such as DuckDuckGo, Firefox and Brave. What's new in California's law is that all browsers must give people the same option." That means soon in California, just using Google's Chrome, Apple's Safari and Microsoft's Edge can command companies not to sell your data or pass it along for ad targeting... It's an imperfect but potent and simple way to flex privacy rights — and becomes even more powerful with another simple privacy measure in California. Starting on January 1, California residents can fill out an online form once to completely and repeatedly wipe their data from hundreds of data brokers that package your personal information for sale.
But their article also suggests other ways readers can "try a one-click privacy option now."

• "[S]ome national companies respect one-click privacy opt-out requests from everyone... This happens automatically if you use DuckDuckGo and Brave. You need to change a setting with Firefox."

• "Download Privacy Badger: The software from the Electronic Frontier Foundation, a consumer privacy advocacy group, works in the background to order websites not to sell information they're collecting about you."

• "Use Permission Slip from Consumer Reports. Give the app basic information, and it will help you do much of the legwork to tell companies not to sell your information or to delete it, if you have the right to do so."

I uploaded a photo on my phone to Microsoft's "OneDrive" file-hosting app — and there was a surprise waiting under Privacy and Permissions. "OneDrive uses AI to recognize faces in your photos..."

And...

"You can only turn off this setting 3 times a year."



If I moved the slidebar for that setting to the left (for "No"), it moved back to the right, and said "Something went wrong while updating this setting." (Apparently it's not one of those three times of the year.)

The feature is already rolling out to a limited number of users in a preview, a Microsoft publicist confirmed to Slashdot. (For the record, I don't remember signing up for this face-recognizing "preview".) But there's a link at the bottom of the screen for a "Microsoft Privacy Statement" that leads to a Microsoft support page, which says instead that "This feature is coming soon and is yet to be released." And in the next sentence it's been saying "Stay tuned for more updates" for almost two years...

A Microsoft publicist agreed to answer Slashdot's questions...

"A 29-year-old man has been arrested on suspicion of starting the Pacific Palisades fire in Los Angeles that killed 12 people and destroyed more than 6,000 homes in January," reports the BBC.

"Evidence collected from Jonathan Rinderknecht's digital devices included an image he generated on ChatGPT depicting a burning city, justice department officials said." Mr Rinderknecht had been living and working in California, and moved to Florida shortly after the fire, according to authorities. The initial blaze Mr Rinderknecht allegedly started on New Year's Day was called the Lachman fire. Although it was quickly suppressed by firefighters, it continued to smoulder underground in the root structure of dense vegetation, according to investigators, before it flared up again above ground in a windstorm [nearly a week later]... He lit it with an open flame after he completed a ride as an Uber driver on New Year's Eve, according to the indictment.

Two passengers rode with Mr Rinderknecht earlier on New Year's Eve. One passenger told investigators he remembered the driver had appeared agitated and angry. Officials said they had used his phone data to pinpoint his location when the fire initially started on 1 January, but when they pressed him on details he allegedly lied to investigators, claiming he was near the bottom of the trail... The phone also showed that he repeatedly called 911 just after midnight on New Year's day, but could not get through because of patchy mobile reception on the trailhead. There was a screen recording of him trying to call emergency services and at one point being connected with a dispatcher. Mr Rinderknecht also asked ChatGPT: "Are you at fault if a fire is lift [sic] because of your cigarettes?"

Investigators said the suspect wanted to "preserve evidence of himself trying to assist in the suppression of the fire". "He wanted to create evidence regarding a more innocent explanation for the cause of the fire," the indictment said... In July 2024, five months before he allegedly set the fire, Mr Rinderknecht asked ChatGPT to create an image of a "dystopian painting" that included a burning forest and a crowd of people running away from a fire, according to investigators.
The announcement from officials suggests they retrieved data about Rinderknecht's iPhone. It says after walking up the trailer Rinderknecht "listened to a rap song — to which he had listened repeatedly in previous days — whose music video included things being lit on fire."

An anonymous reader quotes a report from CSO Online: On Sept. 17, security vendor SonicWall announced that cybercriminals had stolen backup files configured for cloud backup. At the time, the company claimed the incident was limited to "less than five percent" of its customers. Now, the firewall provider has admitted that "all customers" using the MySonicWall cloud backup feature were affected. According to the company, the stolen files contain encrypted credentials and configuration data. "[W]hile encryption remains in place, possession of these files could increase the risk of targeted attacks," SonicWall warns in its press release.

Security specialist Arctic Wolf also warns of the consequences of the incident. "Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization's network," explains Stefan Hostetler, threat intelligence researcher at Arctic Wolf. "These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates," he adds. Arctic Wolf has previously observed threat actors, including nation-state and ransomware groups, exfiltrating firewall configuration files to use for future attacks. SonicWall urges all customers and partners to regularly check their devices for updates. Admins can find additional information here.

An anonymous reader shares a report: Control of NSO Group is set to leave Israeli hands. A group of American investors led by Hollywood producer Robert Simonds has agreed to acquire the controversial spyware developer in a deal valued at several tens of millions of dollars. The transaction is expected to be signed in the coming days, though its completion will require approval from Israel's Defense Export Control Agency (DECA) at the Ministry of Defense.

Since March 2023, NSO's shares have been held by a Luxembourg-based holding company wholly owned by founder Omri Lavie. The company's lender syndicate, which had extended roughly $500 million in loans to finance a share buyback from the private equity fund Francisco Partners, transferred ownership to Lavie following the restructuring.

An anonymous reader quotes a report from Gizmodo: The City of New York is reaching across the country to sue tech giants headquartered in California over allegations that their platforms have created a youth mental health crisis. The city, along with its school districts and health department, alleges that "gross negligence" on the part of Meta, Alphabet, Snap, and ByteDance has gotten kids hooked on social media, which has created a "public nuisance" that is placing a strain on the city's resources.

In a 327-page complaint filed in the US District Court for the Southern District of New York, the city alleges that tech companies have designed their platforms in a way that seeks to "maximize the number of children" using them, and have built "algorithms that wield user data as a weapon against children and fuel the addiction machine." The city also alleges that these companies "know children and adolescents are in a developmental stage that leaves them particularly vulnerable to the addictive effects of these features," but "target them anyway, in pursuit of additional profit."

[...] It cites data from the New York City Police Department, for instance, that show at least 16 teens have died while "subway surfing" -- riding outside of a moving train -- a dangerous behavior which the lawsuit claims has been encouraged by social media trends. Two girls, ages 12 and 13, died earlier this month while subway surfing. It also cited survey data collected from New York high school students, which shows that 77.3% of the city's teens spend three or more hours per day on screens, which it claims has contributed to lost sleep and, in turn, absences from school -- corroborated by the city's school districts, which provided data to show that 36.2% of all public school students are considered chronically absent, missing at least 10% of the school year.

An anonymous reader quotes a report from Ars Technica: Apple yesterday announced a plan to comply with a Texas age verification law and warned that changes required by the law will reduce privacy for app users. "Beginning January 1, 2026, a new state law in Texas -- SB2420 -- introduces age assurance requirements for app marketplaces and developers," Apple said yesterday in a post for developers. "While we share the goal of strengthening kids' online safety, we are concerned that SB2420 impacts the privacy of users by requiring the collection of sensitive, personally identifiable information to download any app, even if a user simply wants to check the weather or sports scores."

The Texas App Store Accountability Act requires app stores to verify users' ages and imposes restrictions on those under 18. Apple said that developers will have "to adopt new capabilities and modify behavior within their apps to meet their obligations under the law." Apple's post noted that similar laws will take effect later in 2026 in Utah and Louisiana. Google also recently announced plans for complying with the three state laws and said the new requirements reduce user privacy. "While we have user privacy and trust concerns with these new verification laws, Google Play is designing APIs, systems, and tools to help you meet your obligations," Google told developers in an undated post.

The Utah law is scheduled to take effect May 7, 2026, while the Louisiana law will take effect July 1, 2026. The Texas, Utah, and Louisiana "laws impose significant new requirements on many apps that may need to provide age appropriate experiences to users in these states," Google said. "These requirements include ingesting users' age ranges and parental approval status for significant changes from app stores and notifying app stores of significant changes."

An anonymous reader shares a report: A website set up by an unknown Dane over the course of one weekend in August is giving a massive headache to those trying to pass a European bill aimed at stopping child sexual abuse material from spreading online.

The website, called Fight Chat Control, was set up by Joachim, a 30-year-old software engineer living in Aalborg, Denmark. He made it after learning of a new attempt to approve a European Union proposal to fight child sexual abuse material (CSAM) -- a bill seen by privacy activists as breaking encryption and leading to mass surveillance.

The site lets visitors compile a mass email warning about the bill and send it to national government officials, members of the European Parliament and others with ease. Since launching, it has broken the inboxes of MEPs and caused a stir in Brussels' corridors of power. "We are getting hundreds per day about it," said Evin Incir, a Swedish Socialists and Democrats MEP, of the email deluge.

An anonymous reader quotes a report from The Verge: Discord has identified approximately 70,000 users that may have had their government ID photos exposed as part of a customer service data breach announced last week, spokesperson Nu Wexler tells The Verge. A tweet by vx-underground said that the company was being extorted over a breach of its Zendesk instance by a group claiming to have "1.5TB of age verification related photos. 2,185,151 photos." In its announcement last week, Discord said that information like names, usernames, emails, the last four digits of credit cards, and IP addresses also may have been impacted by the breach. "All affected users globally have been contacted and we continue to work closely with law enforcement, data protection authorities, and external security experts," said Wexler. "We've secured the affected systems and ended work with the compromised vendor. We take our responsibility to protect your personal data seriously and understand the concern this may cause."