Privacy and security report showing period tracker data and cyber threat headlines

From Period Apps to State Hackers: New Privacy and Security Risks Surface Across Tech and Government

A week of privacy and security reporting revealed risky period apps, a real DHS breach, Russia attribution, and a Suno hack.

In short

A new round of reporting exposed weak privacy practices in period-tracking apps, a real DHS network breach that was twice misread as a false positive, and a major hack of AI music startup Suno. The week also brought fresh government attribution of a Russian cyberattack on Polish infrastructure and renewed pressure on AI policy.

  • Mozilla’s review found major privacy differences among period-tracking apps, with Stardust scoring worst and Euki scoring best.
  • U.S. and allied officials attributed a near-blackout cyberattack on Polish infrastructure to Russia’s FSB.
  • DHS analysts twice dismissed signs of a real HSIN breach as false positives.
  • A breach of AI music startup Suno exposed evidence of large-scale scraping and customer data.

A week of privacy and security reporting exposed how personal data, public infrastructure, and AI systems are increasingly vulnerable to misuse, surveillance, and intrusion. The most alarming findings ranged from period-tracking apps that quietly shared intimate health data to a real breach of a Department of Homeland Security information-sharing network that analysts twice mistook for a false alarm.

Other developments underscored how the digital threat landscape is widening: U.S. authorities and allied governments attributed a cyberattack on Poland’s electric infrastructure to Russia’s FSB, Reuters reported that an alleged state-linked hacker once worked for Kaspersky, and a hack of AI music startup Suno revealed both extensive data scraping and exposure of customer records.

Why this week’s privacy news matters

This week’s reporting shows the same pattern playing out across consumer apps, government systems, and AI services: sensitive data is being collected, moved, or breached in ways users often cannot see.

That matters because the harms are not abstract. They include reproductive health details flowing to third-party firms, public-sector security analysts missing signs of intrusion, and massive training datasets built from copyrighted or tightly controlled content. In each case, the core problem is visibility — or the lack of it.

What did the privacy audits find in period-tracker apps?

A Mozilla-led review of popular period-tracking apps found sharp differences in how they handled intimate health information, with one app standing out for especially aggressive data sharing and another earning a near-perfect privacy score.

How did Stardust handle user data?

Stardust, an astrology-themed period tracker, was the worst performer in the audit. Researchers found that it transmitted reproductive-health details such as birth control use, pregnancy status, moods, and symptoms to a data company that was not disclosed in its privacy policy.

According to the audit, the app also contacted third-party trackers as soon as it launched, before any information was entered. Once a user logged a symptom, the data was tied to a persistent identifier and sent to analytics company RudderStack. Because RudderStack can pass data to other destinations that outsiders cannot directly observe, the actual downstream flow may be broader than the visible connection suggests.

The app was also reported to pass an advertising identifier to Facebook, allowing in-app behavior to be linked to the platform’s existing ad profiles.

Mozilla’s findings indicate that the app shares highly sensitive reproductive and behavioral information in ways users would have little reason to expect, and with few practical controls to stop it.

Why did Euki stand out?

Euki, a nonprofit-run period tracker, was the strongest performer in the review and received a top privacy score. The app does not require an account, keeps health data on the device rather than sending it to remote servers, and offers protective features such as a PIN lock, scheduled deletion, and a decoy screen designed for situations where a user is forced to unlock the phone.

The app is not entirely free of web tracking risk. Its educational browser can load standard tracking scripts when opening online resources, though it resets identifiers between sessions.

App Privacy score Key findings Notable risks or protections
Stardust 2/10 Shared reproductive-health details with third parties and ad systems Persistent ID, third-party analytics, Facebook ad identifier
Euki 10/10 Kept health data local and minimized account-based tracking PIN lock, decoy screen, scheduled deletion
Other reviewed trackers Varied Mixed privacy practices across data collection and sharing Different combinations of trackers, accounts, and analytics

How did the San Francisco drone footage become a surveillance warning?

Hours of San Francisco Police Department drone video found publicly accessible online offered a vivid example of how granular modern surveillance can become, especially in dense urban settings.

The footage illustrates not only the operational reach of police drones but also the risks that arise when sensitive recordings are exposed on the open web. A cache of that size can reveal policing methods, public movements, and potentially identifiable information about people captured on camera.

What makes the exposure especially notable is the scale. This was not a single image or isolated clip; it was substantial footage that could help outsiders understand how local surveillance technology is being deployed in practice.

What happened with the DHS network breach?

A real breach of the Homeland Security Information Network was twice misidentified as a false alarm, raising concerns about how well federal systems can detect stealthy intrusions.

According to reporting from Nextgov/FCW, analysts at the Federal Emergency Management Agency saw signs of tampering in mid-May, including changes to files and code, a hijacked legitimate web server, and deleted logs. Those indicators were dismissed as false positives.

Weeks later, the attackers returned and were detected again. Once more, the activity was ruled benign. The breach was only later recognized as genuine.

That sequence is troubling because HSIN is used to share unclassified information across federal, state, local, and foreign partners. The data may be unclassified, but it is still described by lawmakers as highly sensitive because exposure could affect national security.

Why are “living off the land” attacks hard to spot?

These attacks are difficult to identify because they often rely on legitimate tools, credentials, or administrative features already present on a network rather than obvious malware.

That means defenders may see behavior that looks routine at first glance — until it is too late. The HSIN incident suggests that detection systems and human reviewers alike are under increasing strain as attackers blend into ordinary administrative traffic.

Why did governments blame Russia’s FSB for a Polish grid attack?

The European Union, the United Kingdom, and U.S. cyber agencies linked a cyberattack on Polish infrastructure to Center 16 of Russia’s FSB, an unusual attribution for an agency better known for espionage than disruptive sabotage.

The attack targeted systems tied to Poland’s electric grid and came close enough to affecting electricity and water utilities that Polish officials warned it nearly caused a blackout. Earlier private-sector analysis had pointed to Sandworm, the GRU-linked unit more commonly associated with aggressive infrastructure attacks, but Polish responders disputed that conclusion at the time.

The broader government consensus now supports the Polish view that the FSB was responsible. The attribution matters because it suggests the FSB may be adopting more destructive operational tactics that were once more closely associated with military intelligence hackers.

What does this say about Russian cyber operations?

It suggests that the division between Russian intelligence agencies may be less rigid than it once seemed. The FSB has traditionally been viewed as a more surgical espionage body, while the GRU has been tied to more disruptive attacks. This incident points to a possible convergence in style and ambition.

That change raises the stakes for critical infrastructure operators in Europe and beyond, because it expands the range of Russian actors capable of affecting utilities, grids, and other essential systems.

What is the significance of the Kaspersky hiring report?

Reuters reported that a Russian man charged in Boston with hacking offenses, and alleged by U.S. prosecutors to be part of the Void Blizzard or Laundry Bear group, spent two years working at Kaspersky before moving to another company and later joining the alleged campaign.

The man, Denis Obrezko, is accused of participating in activity that stole data and communications from NATO governments and at least 11 U.S. companies. Reuters said he had also allegedly worked for the FSB before his Kaspersky employment, creating a sequence that appears to link his career to Russian intelligence circles before and after his time at the firm.

Obrezko has pleaded not guilty. Kaspersky told Reuters that the charged offenses cannot be connected to the person’s role or responsibilities while employed at the company.

Kaspersky said the allegations described in the criminal case could not be tied to the individual’s duties during his employment there.

How did Suno’s hack change the debate over AI music training?

A breach of AI music company Suno revealed internal records suggesting the startup scraped massive amounts of music and audio from services including YouTube Music, Deezer, Genius, and stock-audio libraries to train its models.

According to 404 Media, which reviewed internal materials provided by the intruder, the files pointed to more than 113,000 hours of YouTube Music audio alone, along with large quantities of other music and podcast content. The records also indicated use of proxies and specialized tools to route scraping activity and target roughly one million hours of podcasts.

Those details strengthen long-running claims from the music industry that Suno pulled content directly from YouTube, rather than relying only on licensed or openly available material.

What data was exposed in the breach?

Beyond training data, the intrusion reportedly exposed account information for hundreds of thousands of users, including email addresses, phone numbers, and payment details connected to Stripe. That widens the impact beyond copyright and licensing disputes to direct consumer privacy concerns.

The hacker said they gained access by compromising an employee through the Shai-Hulud worm, a reminder that workforce infection or account compromise can become a shortcut into valuable corporate systems.

Suno said the breach involved outdated code and did not expose sensitive personal information, but some customers whose data appeared in a shared sample told 404 Media they were never notified.

How does the AI policy debate fit into this week’s news?

Anthropic continued its push for state-level AI regulation, arguing that disclosure requirements are becoming more important as AI systems grow more capable and more widely deployed.

Cesar Fernandez, Anthropic’s head of U.S. state and local government relations, said transparency-focused laws enacted in California and New York last year were an important first step, but he argued that policy responses now need to move as quickly as the technology itself. His comments reflect a broader industry split over whether state rules should be tightened, unified, or left to evolve piecemeal.

The company’s stance is notable because it combines a safety-oriented public message with a recognition that fragmented regulation can shape how AI products are built and sold across state lines.

Timeline of the week’s major security stories

Here is a concise look at how the key developments unfolded.

Event What happened Why it matters
Period tracker audit Mozilla reviewed six apps and found major differences in privacy practices Shows how intimate health data can be monetized or protected
San Francisco drone footage exposure Police drone video was found publicly accessible online Highlights the reach and risks of urban surveillance
HSIN breach Federal analysts twice dismissed signs of intrusion as false positives Raises questions about U.S. detection and response capacity
Polish grid attribution Western governments pinned the attack on Russia’s FSB Suggests a widening set of Russian cyber operators targeting infrastructure
Suno breach Internal files pointed to extensive scraping and user data exposure Intensifies scrutiny of how AI companies build training datasets

What should users and organizations take away from this week?

The common lesson is that data governance failures are now showing up everywhere: on phones, in government platforms, in utility networks, and inside AI companies.

  • For consumers: health and wellness apps may share more data than their interfaces suggest.
  • For agencies: a breach can be real even when it looks like routine system noise.
  • For critical infrastructure operators: attribution is increasingly complex, and attackers can come from less expected parts of an adversary state.
  • For AI companies: the legality of training data collection remains a flashpoint, especially when code and records are exposed.

In different ways, each of these incidents underscores the same truth: modern digital systems often fail not because information is absent, but because too much of it is collected, hidden, shared, or ignored.

What comes next?

More disclosures are likely. App privacy reviews will continue to pressure health-tracking companies to explain where sensitive data goes. Governments facing cyberattacks will keep refining attribution and defense. And AI firms will remain under scrutiny for how they obtain the material used to train their systems.

For now, this week’s reporting offers a snapshot of the new security landscape: highly personal data, critical infrastructure, and machine-learning systems are all colliding in ways that create both commercial value and public risk.

Frequently asked questions

What did Mozilla find about period-tracking apps?

Mozilla found that period-tracking apps vary dramatically in how they handle sensitive reproductive-health data. Stardust was the worst performer, reportedly sharing intimate details with third parties, while nonprofit-run Euki kept data local, required no account, and offered stronger privacy controls.

Why is the DHS breach important?

The DHS breach is important because analysts twice dismissed real signs of intrusion as false positives. The compromised Homeland Security Information Network is used to share sensitive information across multiple levels of government, so a missed breach there raises concerns about detection and response.

What does the Suno hack reveal about AI music training?

The Suno hack appears to show that the company scraped large amounts of music, lyrics, and podcasts from multiple services to train its AI models. It also reportedly exposed customer emails, phone numbers, and payment records, turning a copyright dispute into a privacy incident as well.

Who was blamed for the attack on Poland’s infrastructure?

Western governments, including the EU, UK, and U.S. agencies, attributed the attack to Center 16 of Russia’s FSB. The incident had previously been linked by some researchers to the GRU’s Sandworm unit, but Polish officials disputed that conclusion and now see the FSB as responsible.

Why is Anthropic pushing for state AI regulation?

Anthropic is pushing for state AI regulation because it says transparency rules need to keep pace with rapidly improving AI systems. The company argues that disclosure-focused laws are a useful start, but that policy needs to evolve quickly as model capabilities and deployment grow.

Share this 🚀