Authorities in the Netherlands announced the dismantling of a botnet that included more than 17 million devices. The network was managed by 200 servers, according to a joint operation by the police and the National Cyber Security Center (NCSC). The action was made public on Thursday.

The investigation began after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands, the NCSC stated. Police subsequently seized several botnet servers from a hosting provider for further investigation.

The botnet was taken offline by the provider because it was used for criminal purposes, the NCSC explained. The scale of the botnet, with millions of compromised devices, highlights the ongoing threat of such networks for cybercrime activities.

The NCSC did not disclose the specific criminal activities the botnet was used for, but botnets are commonly employed for distributed denial-of-service attacks, spam campaigns, and credential theft. The dismantling disrupts the infrastructure that enabled these operations.

No arrests have been reported in connection with the takedown. The authorities continue to analyze the seized servers to understand the full scope of the botnet's operations and identify those responsible.

The operation underscores the importance of collaboration between security researchers and law enforcement. The NCSC encouraged other researchers to report similar threats to help protect digital infrastructure.

Details about the hosting provider or the specific malware used to compromise the devices were not released. The NCSC advised device owners to keep their software updated and use strong passwords to prevent their devices from being enlisted in botnets.

The takedown represents a significant blow to cybercriminal infrastructure, but the NCSC warned that similar networks may still be active. The agency continues to monitor the threat landscape and coordinate with international partners.

A senior US lawmaker has issued a stark warning against the adtech industry, labeling it a national security threat after reports emerged that military personnel were tracked using location data. Senator Ron Wyden, a prominent privacy advocate, stated that the incident underscores the urgent need for stricter regulations on data collection and sharing practices. The senator's comments came in response to a report detailing how commercial data brokers sold location information that could be used to identify and target US troops stationed abroad.

The report, published by the nonprofit organization Tech Inquiry, revealed that data from popular apps and advertising networks was aggregated and sold to entities that could potentially exploit it. The data included precise geolocation information from devices used by military personnel, allowing for the tracking of their movements and routines. This information, the report noted, could be accessed by foreign adversaries or malicious actors seeking to harm US service members.

Senator Wyden, who chairs the Senate Finance Committee, emphasized that the adtech industry's business model poses a direct threat to national security. He called for immediate action to curb the unfettered collection and sale of personal data, particularly location information. Wyden has long advocated for comprehensive privacy legislation, including the introduction of the Fourth Amendment Is Not For Sale Act, which would prohibit law enforcement and intelligence agencies from purchasing data that would otherwise require a warrant.

The report highlighted several instances where location data from military bases and personnel was available for purchase through data brokers. In one case, data from a fitness tracking app revealed the locations of US military personnel in sensitive areas. The findings have reignited debates about the lack of federal privacy laws in the United States, which allow data brokers to collect and sell personal information with minimal oversight.

Industry representatives have pushed back against the characterization of adtech as a national security threat, arguing that data collection is conducted with user consent and is essential for the digital economy. However, privacy advocates and lawmakers contend that the current system fails to protect individuals, especially those in vulnerable positions such as military personnel. The Federal Trade Commission has also taken steps to address data privacy concerns, including recent actions against data brokers for selling location data without proper safeguards.

The issue has drawn bipartisan attention, with several lawmakers expressing concern over the potential misuse of personal data. In addition to Senator Wyden, other members of Congress have introduced bills aimed at restricting data collection and enhancing consumer privacy protections. The debate is expected to intensify as the 2024 election cycle approaches, with privacy emerging as a key issue for voters.

As of now, no specific legislation has been passed to address the concerns raised by the report. Senator Wyden has vowed to continue pushing for reforms, stating that the adtech industry must be held accountable for its role in compromising national security. The report's findings are likely to fuel further investigations and calls for action from both Congress and regulatory agencies.

A security lapse at Pay Tel, a company providing pay phone services to prisons, exposed over 300,000 callers' driver's licenses and inmate communications. The breach was discovered by security researchers who found the data publicly accessible on the internet. The exposed information included sensitive identification documents and recorded conversations between inmates and their contacts.

The researchers reported the vulnerability to Pay Tel, which subsequently secured the exposed data. The incident highlights ongoing concerns about the security of communication systems used in correctional facilities. Pay Tel's services are widely used across the United States, allowing inmates to make calls to family and legal representatives.

The leaked data contained high-resolution images of driver's licenses, revealing personal details such as names, addresses, dates of birth, and identification numbers. Additionally, recordings of inmate calls were accessible, raising privacy and legal issues. The researchers noted that the data was stored on an unsecured server without password protection.

Pay Tel has not disclosed how long the data was exposed or whether any unauthorized parties accessed it. The company stated that it takes security seriously and has implemented measures to prevent future incidents. However, the breach underscores the risks associated with third-party services handling sensitive information in the prison system.

The researchers who discovered the leak emphasized the potential for misuse, including identity theft and harassment. They also pointed out that inmates and their families often have limited choices for communication services, making them vulnerable to such security failures. The incident has prompted calls for stricter oversight of prison communication providers.

Pay Tel operates in multiple states, providing phone services to inmates. The company has faced criticism in the past for high call rates and fees. This security lapse adds to the scrutiny of its operations. The exposed data has been taken offline, but affected individuals may face long-term risks from the exposure of their personal information.

The researchers recommended that Pay Tel notify affected individuals and offer credit monitoring services. They also urged the company to conduct a thorough security audit. The incident serves as a reminder of the importance of data protection in specialized service sectors like prison communications.

Pay Tel has not announced any plans to compensate affected callers. The company's response has been limited to securing the server and stating that it is reviewing its security protocols. The breach was reported to relevant authorities, though it remains unclear if any regulatory action will follow.

As of now, Pay Tel has not provided a timeline for when the data was first exposed or how long it remained accessible. The researchers discovered the leak in early 2025 and reported it promptly. The company acted to close the vulnerability after being notified, but the full extent of any potential data misuse remains unknown.

California Attorney General Rob Bonta announced a lawsuit against genetic testing company 23andMe on Friday. The legal action stems from a 2023 data breach that compromised the personal information of approximately 7 million users. Bonta's office alleges that 23andMe failed to adequately protect sensitive user data, violating state consumer protection and privacy laws.

The breach, which came to light in October 2023, involved attackers gaining access to user profiles through credential stuffing attacks. The stolen data included names, birth years, ancestry information, and in some cases, health-related genetic data. The information was subsequently listed for sale on dark web marketplaces, raising concerns about identity theft and privacy violations.

According to the complaint, 23andMe did not implement sufficient security measures to prevent such attacks. The lawsuit claims the company neglected to enforce multi-factor authentication or adequately monitor for suspicious login attempts. Bonta stated that the company's actions demonstrated a disregard for user privacy and security obligations under California law.

The lawsuit seeks civil penalties and injunctive relief to compel 23andMe to strengthen its data security practices. California's Consumer Privacy Act and the state's Unfair Competition Law are cited as the legal basis for the action. Bonta emphasized that companies handling sensitive genetic data must uphold the highest standards of protection.

23andMe responded to the lawsuit by stating that it cooperated with law enforcement during the breach investigation. The company noted that it has since implemented additional security measures, including mandatory password resets and enhanced monitoring. However, the attorney general's office argued that these steps came too late for the millions of affected users.

The breach has broader implications for the genetic testing industry, which collects highly personal and immutable data. Privacy advocates have long warned about the risks of storing such information, as genetic data cannot be changed like a password. The lawsuit could set a precedent for how companies must safeguard biometric and genetic information.

23andMe faces similar legal challenges from class-action lawsuits filed by affected users. The company has also been under scrutiny from federal regulators, including the Federal Trade Commission. The California lawsuit adds to mounting pressure on the company to overhaul its data security practices.

A court date has not yet been set for the case. The attorney general's office is seeking an order requiring 23andMe to implement comprehensive security protocols and to pay restitution to affected consumers. The outcome of this lawsuit could influence future data protection regulations for companies handling sensitive personal data.