It Takes 2 Minutes to Hack the EU’s New Age-Verification App

Planning a big night out at Madison Square Garden?

Have fun—but don’t say we didn’t warn you.

A WIRED investigation this week revealed new details about the private surveillance state instituted by MSG owner Jim Dolan and his head of security, John Eversole.

According to court records and WIRED sources, visitors to the Garden and some other Dolan-owned venues have been subjected to face recognition, social media monitoring, in-person surveillance, and more.

The US government’s warrantless wiretap powers hit a roadblock this week.

Despite a push from President Donald Trump for a long-term reauthorization of the so-called Section 702 spy program, 20 Republican lawmakers in the House of Representatives voted against a full reauthorization, forcing Speaker Mike Johnson to merely extend the program for an additional 10 days.

Meta’s Ray-Ban and Oakley AI smartglasses have an image problem— for good reason .

More than 70 civil society groups, including the ACLU and the National Organization for Women, sent a letter to the company this week, demanding that it abandon any plans it may hav e to equip its AI glasses with face-recognition features.

The groups argue that including face recognition in the wearable devices, which can already surreptitiously record videos of people, would further erode any semblance of privacy and potentially facilitate stalkers, domestic abusers, and federal agents.

Nonconsensual deepfake nudes are a scourge at schools around the world, according to an analysis by WIRED and Indicator .

By tracking publicly reported incidents of deepfake “nudify” tech used against middle- and high-school-aged girls, we were able to identify more than 600 victims in 28 countries around the world.

You might think banning a $20 billion black market for scammers from your platform would be a no-brainer.

But not if you’re Telegram .

A WIRED investigation found that the messaging app continued to host Xinbi Guarantee despite the UK government’s designating it a facilitator of human trafficking and sanctioning the largest-ever online marketplace of its kind.

Crypto-tracing firm Elliptic says that Xinbi carried out another $505 million in transactions in the 19 days after the UK issued its sanction.

The AI race has finally entered the cybersecurity lap.

After Anthropic revealed its new model, Mythos, as a unique risk to the security status quo , OpenAI announced that it, too, has a new cybersecurity strategy, and a new model to go with it— GPT-5.4-Cyber .

That’s not all!

Each week, we round up the security and privacy news we didn’t cover in depth ourselves.

Click the headlines to read the full stories.

And stay safe out there.

The European Commission this week released its free, open source app for verifying the ages of visitors to social networks and pornography websites.

At a press conference on Wednesday, European Commission president Ursula von der Leyen proclaimed that, with the release of the app, “there are no more excuses” for platforms that fail to check users’ ages.

That, however, was before experts found the app to be a security disaster.

As reported by Politico , security consultant Paul Moore claimed on X to have found a series of security issues with the app that allowed him to hack it “in less than 2 minutes.” The issues include how the app reportedly stores a user-created PIN that could allow an attacker to easily take over that person’s app profile.

(Baptiste Robert, a whitehat hacker, confirmed the vulnerability to Politico.) Tagging von der Leyen in his post, Moore concluded, “This product will be the catalyst for an enormous breach at some point.

It's just a matter of time.”
A Gym Chain and a Hotel Giant Disclose Major Data Breaches
Bluesky Buckles Under DDoS Attack
Bluesky’s site and app struggled through Thursday after what the company confirmed was a distributed denial-of-service attack.

Chief operations officer Rose Wang said the “sophisticated” attack began April 15 around 8:40 pm ET and caused intermittent failures across feeds, notifications, and search.

The company said it has not seen any evidence of unauthorized access to user data.

The outages hit Bluesky’s own infrastructure but spared communities like Blacksky that run their own instances on the underlying AT Protocol.

Blacksky told TechCrunch it has seen a significant spike in migration requests over the past 12 hours, as users and rival ATmosphere operators promote alternatives.

As of Friday afternoon, its status page shows the service fully operational.

ICE Offered Jobs to Applicants With Dubious Backgrounds
Russian Crypto Exchange Grinex Hacked, Blames Foreign Spies