By Waqas
If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed…
This is a post from HackRead.com Read the original post: HelloFresh Fined £140,000 for 80 Million Spam Messages

If you’re a HelloFresh customer, you’ll likely receive fewer marketing emails and texts due to the fine imposed by the UK’s Information Commissioner’s Office (ICO).

****_Key Points_****

*   **Customers were bombarded with unwanted emails and texts.**
*   **HelloFresh fined £140,000 for sending 80 million spam messages.**
*   **ICO found HelloFresh’s opt-in processes were misleading and confusing.**
*   **Case highlights the importance of data protection and obtaining informed consent.**

Recipe kit delivery service HelloFresh has been slapped with a hefty £140,000 fine by the UK’s Information Commissioner’s Office (ICO) for bombarding customers with a staggering 80 million spam messages.

The fine follows a year-long investigation triggered by a flood of complaints from customers who were fed up with the constant barrage of unwanted marketing emails and texts.

The ICO found that HelloFresh’s marketing practices were a clear violation of UK data protection regulations. Between August 2022 and February 2023, the company sent out a mind-boggling 79 million emails and 1 million text messages without obtaining proper consent from its customers. This included bombarding customers who had signed up for the service solely to receive recipe kits, with irrelevant offers and promotions.

“This was a clear case of a company putting its own commercial interests ahead of the privacy and rights of its customers,” said Andy Curry, Head of Investigations at the ICO. “Customers were not given a clear choice about receiving marketing messages, and many were left feeling harassed and frustrated by the constant bombardment.”

The ICO’s investigation revealed that HelloFresh’s opt-in processes were designed to be confusing and misleading. Customers were often pre-checked into marketing lists without their knowledge, and the wording of opt-in boxes was unclear, making it difficult for customers to understand what they were agreeing to.

“We take our data protection obligations very seriously and have made changes to our email and text marketing policy in response to the ICO’s findings,” said a spokesperson for HelloFresh. However, the company’s apology and belated changes to its marketing practices may not be enough to appease customers who feel they have been taken advantage of.

The HelloFresh case highlights the importance of data protection and the need for businesses to obtain clear and informed consent from customers before sending them marketing messages. Companies that fail to comply with data protection regulations face not only hefty fines but also reputational damage and the potential loss of customer trust.

****_RELATED ARTICLES_****

1.  **Unreleased Music Stolen and Sold on Dark Web: Hacker Fined**
2.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
3.  **Sephora Fined $1.2 Million for Breaching CCPA and Selling User Data**
4.  **Apple, Samsung fined for intentionally slowing down old smartphones**
5.  **Signal, AI Generated Art Least, Amazon, Facebook Most Invasive Apps**

HelloFresh Fined £140,000 for 80 Million Spam Messages

Plus: Chinese officials tracked people using AirDrop, Stuxnet mole’s identity revealed, AI chatbot hacking, and more.

“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication _Volkskrant_ claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

The FCC wants car makers and wireless providers to make it harder for stalkers to use your car against you.

Most new model cars are not just cars anymore. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. Some of them are basically smartphones on wheels.

Even if we assume these new features were all created with your convenience in mind, some of them can have some adverse effects on your privacy, and sometimes even your safety.

Addressing the use of connected cars to stalk, intimidate, and harass survivors of domestic violence, the Federal communications Commission (FCC) has issued a press release calling on carmakers and wireless companies to help ensure the independence and safety of domestic violence survivors.

Chairwoman Jessica Rosenworcel of the FCC said:

> “No survivor of domestic violence and abuse should have to choose between giving up their car and allowing themselves to be stalked and harmed by those who can access its data and connectivity.”

We have previously talked about cars spying on you, and the poor privacy policies that allow manufacturers to sell the data they gather for targeted advertising. We have also written about a federal judge that ruled it’s fine for car makers to intercept your text messages. But those are privacy concerns. Valid and serious, but on a different level from running the risk of being harassed by a jealous ex.

For readers focused on the privacy issues of connected cars, we can recommend the Mozilla report It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy. And when you are parting with a car in the US, you may want to look at the Privacy4Cars app that can provide a Vehicle Privacy Report and claims to be able to delete your data. You will need your Vehicle Identification Number (VIN).

The FCC also asked wireless service providers (AT&T, T-Mobile and Verizon) to describe their partnerships with car manufacturers, seeking information on how the wireless providers work with them and what their policies are for handling geolocation data provided by car manufacturers.

The FCC press release includes statistics showing that more than 12 million people each year are the victims of rape, physical violence, and stalking.

**Tips to keep a stalker from tracking your car**

Not all cars offer these options, and the tips may not apply to your situation, but here are some general tips for people that are afraid they are the target of a stalker:

*   Use the navigation app on your phone, rather than the one built into your car.
*   Do not store places you visit regularly in the car’s navigation.
*   Consider using a VPN when you connect to your car’s hotspot.
*   Find out which devices can access the car or its location data by using any “remote access” apps for the car and remove the devices that are not under your control.
*   Familiarize yourself with the car manufacturer’s privacy policy so you know where your data might be sent. To give you an idea, data might end up with advertisers, law enforcement, service providers, the car manufacturer and its dealers, tech giants like Apple, Google, and Amazon, connected service providers, and government agencies.
*   Keep the software updated to make sure your car is equipped with the latest protection against potential intrusions.
*   If the suspected stalker has been near your vehicle, inspect it thoroughly for trackers and other unfamiliar hardware.
*   Try not to travel alone and always park in a well-lit, busy area if you are concerned about your physical safety.
*   If you have a dashcam that uses cloud storage, check who has access to the images. They can be used to track your movements.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 FCC wants cars to make life harder for stalkers 

macOS suffers from an out-of-bounds write vulnerability in AppleVADriver when decoding mpeg2 videos.

macOS AppleVADriver Out-Of-Bounds Write

On Intel macOS, HEVC video decoding is performed in the AppleGVA module. Using fuzzing, researchers identified multiple issues in this decoder. The issues range from out-of-bounds writes, out-of-bounds reads and, in one case, free() on an invalid address. All of the issues were reproduced on macOS Ventura 13.6 running on a 2018 Mac mini (Intel based).

macOS AppleGVA Memory Handling

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.
The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and

Privacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker **Outlogic**, which was previously known as **X-Mode Social**, from sharing or selling any sensitive location data with third-parties.

The ban is part of a settlement over allegations that the company "sold precise location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters."

The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.

The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.

X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It's also said to have procured location data from other data brokers and aggregators.

Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.

"The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device," the FTC said. "This raw location data is not anonymized, and is capable of matching an individual consumer's mobile device with the locations they visited."

The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users' privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.

The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.

Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.

In a statement provided to news agency Reuters, Outlogic said it disagreed with the "implications" of the FTC announcement, and there was no finding it misused location data.

"I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans' location data," U.S. Senator Ron Wyden said in a statement shared with The Hacker News.

"In 2020, I discovered that the company had sold Americans' location data to U.S. military customers through defense contractors. While the FTC's action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans' personal information and prevent government agencies from going around the courts by buying our data from data brokers."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FTC Bans Outlogic (X-Mode) From Selling Sensitive Location Data

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.

Patch Management / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution. It was fixed in version 2.1.

Details of the issue first came to light in April 2023, with Horizon3.ai's Naveen Sunkavally describing it as a "dangerous default configuration in Apache Superset that allows an unauthenticated attacker to gain remote code execution, harvest credentials, and compromise data."

It's currently not known how the vulnerability is being exploited in the wild. Also added by CISA are five other flaws -

*   **CVE-2023-38203** (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
*   **CVE-2023-29300** (CVSS score: 9.8) - Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
*   **CVE-2023-41990** (CVSS score: 7.8) - Apple Multiple Products Code Execution Vulnerability
*   **CVE-2016-20017** (CVSS score: 9.8) - D-Link DSL-2750B Devices Command Injection Vulnerability
*   **CVE-2023-23752** (CVSS score: 5.3) - Joomla! Improper Access Control Vulnerability

It's worth noting that CVE-2023-41990, patched by Apple in iOS 15.7.8 and iOS 16.3, was used by unknown actors as part of Operation Triangulation spyware attacks to achieve remote code execution when processing a specially crafted iMessage PDF attachment.

Federal Civilian Executive Branch (FCEB) agencies have been recommended to apply fixes for the aforementioned bugs by January 29, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Flags 6 Vulnerabilities - Apple, Apache, Adobe , D-Link, Joomla Under Attack

By Owais Sultan
AI data marketplace Ta-da has announced the completion of a $3.5M funding round. A number of leading blockchain…
This is a post from HackRead.com Read the original post: Ta-da Raises $3.5M to Build Out Its AI Data Marketplace

AI data marketplace Ta-da has announced the completion of a $3.5M funding round. A number of leading blockchain VCs funded the project, which was incubated by Dubai-based Morningstar Ventures since 2021. The funds raised will be used to develop Ta-da’s infrastructure and to expand its operations.

After its seed round led by Morningstar Ventures which also participated in its follow-up, the project received fresh capital injection led by layer 1 blockchain protocol MultiversX and investors such as GBV Capital, XVentures, NxGen and Spark Digital Capital. 

In addition to helping expand its AI data marketplace, funds will be allocated towards enhancing Ta-da’s marketing and communication and growing its team. It will also support the commission of security audits to verify the integrity of its protocol independently.

Ta-da was founded to solve the problem of high-quality AI data being difficult and expensive to obtain. This has prevented AI companies from realizing their full potential. By providing a competitive marketplace where businesses can acquire reliable datasets, Ta-da enables AI innovation to flourish.

In addition to meeting the needs of AI companies, Ta-da supports individuals who can earn tokens by recording and checking voice data. Using a gamified web3 app, Ta-da allows “checkers” to perform microtasks and to be rewarded for the data they validate.

To support the launch of its native app, and support a thriving marketplace for AI data, Ta-da will hold an IDO on xLaunchpad, the official token launchpad of MultiversX. 

Ta-da is the brainchild of Vivoka, a successful startup that develops speech recognition solutions. CEO William Simonin is a serial entrepreneur while his brother Hasheur, founder of Meria.com and one of the leading web3 influencers in France. Other members of its advisory board include Luc Julia (creator of Apple’s Siri) and Morningstar Ventures’ CEO Danilo Carlucci.

The market for AI data is predicted to experience a 25% CAGR over the next decade, transforming it into a $109B economy by 2023. By gamifying data collection and distribution, Ta-da aims to capture a slice of this rapidly growing sector while unlocking new incentives for web3 users.

****About Ta-da****

Ta-da crowdsources data verification, allowing individuals to check datasets and participate in a thriving AI economy. While gamifying AI data and expanding use cases for web3 technology, Ta-da allows businesses to access affordable datasets. This ensures AI companies can leverage verified data to build transformative applications that will change the world.

Ta-da Raises $3.5M to Build Out Its AI Data Marketplace

Gentoo Linux Security Advisory 202401-11 - Multiple vulnerabilities have been found in Apache Batik, the worst of which could result in arbitrary code execution. Versions greater than or equal to 1.17 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202401-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Apache Batik: Multiple Vulnerabilities  
     Date: January 07, 2024  
     Bugs: #724534, #872689, #918088  
       ID: 202401-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Apache Batik, the worst of  
which could result in arbitrary code execution.

Background  
==========

Apache Batik is a Java-based toolkit for applications or applets that  
want to use images in the Scalable Vector Graphics (SVG) format for  
various purposes, such as display, generation or manipulation.

Affected packages  
=================

Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
dev-java/batik  < 1.17        >= 1.17

Description  
===========

Multiple vulnerabilities have been discovered in Apache Batik. Please  
review the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Apache Batik users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-java/batik-1.17"

References  
==========

[ 1 ] CVE-2018-8013  
      https://nvd.nist.gov/vuln/detail/CVE-2018-8013  
[ 2 ] CVE-2019-17566  
      https://nvd.nist.gov/vuln/detail/CVE-2019-17566  
[ 3 ] CVE-2020-11987  
      https://nvd.nist.gov/vuln/detail/CVE-2020-11987  
[ 4 ] CVE-2022-38398  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38398  
[ 5 ] CVE-2022-38648  
      https://nvd.nist.gov/vuln/detail/CVE-2022-38648  
[ 6 ] CVE-2022-40146  
      https://nvd.nist.gov/vuln/detail/CVE-2022-40146  
[ 7 ] CVE-2022-41704  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41704  
[ 8 ] CVE-2022-42890  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42890  
[ 9 ] CVE-2022-44729  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44729  
[ 10 ] CVE-2022-44730  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44730

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202401-11

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202401-11

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

Tag

#apple