A security lapse at Pay Tel, a company providing pay phone services to prisons, exposed over 300,000 callers' driver's licenses and inmate communications. The breach was discovered by security researchers who found the data publicly accessible on the internet. The exposed information included sensitive identification documents and recorded conversations between inmates and their contacts.

The researchers reported the vulnerability to Pay Tel, which subsequently secured the exposed data. The incident highlights ongoing concerns about the security of communication systems used in correctional facilities. Pay Tel's services are widely used across the United States, allowing inmates to make calls to family and legal representatives.

The leaked data contained high-resolution images of driver's licenses, revealing personal details such as names, addresses, dates of birth, and identification numbers. Additionally, recordings of inmate calls were accessible, raising privacy and legal issues. The researchers noted that the data was stored on an unsecured server without password protection.

Pay Tel has not disclosed how long the data was exposed or whether any unauthorized parties accessed it. The company stated that it takes security seriously and has implemented measures to prevent future incidents. However, the breach underscores the risks associated with third-party services handling sensitive information in the prison system.

The researchers who discovered the leak emphasized the potential for misuse, including identity theft and harassment. They also pointed out that inmates and their families often have limited choices for communication services, making them vulnerable to such security failures. The incident has prompted calls for stricter oversight of prison communication providers.

Pay Tel operates in multiple states, providing phone services to inmates. The company has faced criticism in the past for high call rates and fees. This security lapse adds to the scrutiny of its operations. The exposed data has been taken offline, but affected individuals may face long-term risks from the exposure of their personal information.

The researchers recommended that Pay Tel notify affected individuals and offer credit monitoring services. They also urged the company to conduct a thorough security audit. The incident serves as a reminder of the importance of data protection in specialized service sectors like prison communications.

Pay Tel has not announced any plans to compensate affected callers. The company's response has been limited to securing the server and stating that it is reviewing its security protocols. The breach was reported to relevant authorities, though it remains unclear if any regulatory action will follow.

As of now, Pay Tel has not provided a timeline for when the data was first exposed or how long it remained accessible. The researchers discovered the leak in early 2025 and reported it promptly. The company acted to close the vulnerability after being notified, but the full extent of any potential data misuse remains unknown.

California Attorney General Rob Bonta announced a lawsuit against genetic testing company 23andMe on Friday. The legal action stems from a 2023 data breach that compromised the personal information of approximately 7 million users. Bonta's office alleges that 23andMe failed to adequately protect sensitive user data, violating state consumer protection and privacy laws.

The breach, which came to light in October 2023, involved attackers gaining access to user profiles through credential stuffing attacks. The stolen data included names, birth years, ancestry information, and in some cases, health-related genetic data. The information was subsequently listed for sale on dark web marketplaces, raising concerns about identity theft and privacy violations.

According to the complaint, 23andMe did not implement sufficient security measures to prevent such attacks. The lawsuit claims the company neglected to enforce multi-factor authentication or adequately monitor for suspicious login attempts. Bonta stated that the company's actions demonstrated a disregard for user privacy and security obligations under California law.

The lawsuit seeks civil penalties and injunctive relief to compel 23andMe to strengthen its data security practices. California's Consumer Privacy Act and the state's Unfair Competition Law are cited as the legal basis for the action. Bonta emphasized that companies handling sensitive genetic data must uphold the highest standards of protection.

23andMe responded to the lawsuit by stating that it cooperated with law enforcement during the breach investigation. The company noted that it has since implemented additional security measures, including mandatory password resets and enhanced monitoring. However, the attorney general's office argued that these steps came too late for the millions of affected users.

The breach has broader implications for the genetic testing industry, which collects highly personal and immutable data. Privacy advocates have long warned about the risks of storing such information, as genetic data cannot be changed like a password. The lawsuit could set a precedent for how companies must safeguard biometric and genetic information.

23andMe faces similar legal challenges from class-action lawsuits filed by affected users. The company has also been under scrutiny from federal regulators, including the Federal Trade Commission. The California lawsuit adds to mounting pressure on the company to overhaul its data security practices.

A court date has not yet been set for the case. The attorney general's office is seeking an order requiring 23andMe to implement comprehensive security protocols and to pay restitution to affected consumers. The outcome of this lawsuit could influence future data protection regulations for companies handling sensitive personal data.

Cybersecurity researchers have detected a surge in fraudulent files claiming to be Grand Theft Auto 6 early access content. The campaign follows a recent pre-order leak that generated significant attention among gaming communities.

Attackers are distributing these malicious files through social media posts, torrent sites, and direct messages. The files often contain trojans, ransomware, or keyloggers designed to steal personal information.

Rockstar Games has not announced any official pre-order or early access program for GTA 6. The company has not released a release date for the title, which remains in development.

Security firms advise players to avoid downloading any files labeled as GTA 6 early access. Official announcements will come only through Rockstar's verified channels.

The phishing attempts have been reported across multiple platforms, including Discord, Reddit, and YouTube. Some fake download links mimic official Rockstar websites.

Users who have downloaded suspicious files should run antivirus scans immediately. Changing passwords for gaming accounts and enabling two-factor authentication is recommended.

Rockstar Games has not commented on the ongoing scam. The company typically issues warnings about such threats through its official support channels.

Gamers are urged to remain vigilant and rely solely on official sources for GTA 6 information. No legitimate early access files exist at this time.

A new technique called FROST (fingerprinting remotely using OPFS-based SSD timing) enables websites to spy on visitors by analyzing subtle interactions with their solid-state drives. The method, detailed in a research paper, exploits a side channel that leaks information through physical manifestations such as the time required to complete a task. By measuring these timing variations, attackers can infer which other sites a visitor is viewing and what applications are open on their device.

The technique leverages the OPFS (Origin Private File System) API, which is designed to provide web applications with high-performance file access. Researchers discovered that the timing of SSD operations can be measured through this API, creating a side channel that reveals contention for storage resources. When multiple processes access the SSD simultaneously, the resulting delays can be detected and used to infer activity on the device.

FROST represents a significant evolution in browser-based tracking methods. For decades, websites have employed various covert techniques to track visitors, including browser fingerprinting, keystroke logging, and mouse movement analysis. Even major companies like Meta and Yandex have been caught engaging in privacy-invasive tracking. The new SSD-based approach adds another dimension to these surveillance capabilities.

The attack works by measuring the time it takes to perform read and write operations on the SSD through the OPFS API. When a user visits multiple sites or runs multiple applications, the SSD experiences contention as it handles concurrent requests. By analyzing the timing patterns of these operations, a malicious website can determine what other sites are open in the browser or what native applications are running on the system.

Researchers demonstrated that FROST can achieve high accuracy in identifying specific websites and applications. The technique does not require any special permissions or user interaction beyond visiting a webpage. It works across different browsers that support the OPFS API, including Chrome, Edge, and Opera. The attack is particularly effective on systems with NVMe SSDs, which have more predictable timing characteristics.

The discovery raises significant privacy concerns, as users have no easy way to prevent this type of tracking. Unlike cookies or browser fingerprinting, SSD timing attacks cannot be blocked by traditional privacy tools like ad blockers or anti-tracking extensions. The only mitigation currently available is to disable the OPFS API entirely, which would break legitimate web applications that rely on it.

The research paper was presented at a security conference and has been shared with browser vendors. Google and Microsoft have been notified of the vulnerability, but no patches have been released yet. The researchers recommend that users remain cautious about which websites they visit and consider using separate browser profiles for different activities to reduce the risk of cross-site tracking.

As of now, there is no easy fix for FROST. The technique exploits fundamental characteristics of SSD storage that cannot be easily changed without affecting performance. Browser vendors may need to implement timing obfuscation or limit the precision of OPFS timing measurements to mitigate the attack. Until such measures are deployed, users are advised to be aware that their SSD activity can be monitored by websites.