Your period tracker might be watching you closer than your smart mirror. While that feels invasive, the reality of digital surveillance in 2025 is even more granular. It involves drone footage in San Francisco, face-recognition software at Meta, and a surprising amount of data leaving your phone before you even open it.
Security is leaking everywhere. Not just in code. But in policy, in hardware, and in the apps you use daily to track basic biology. Here is what you need to know about the biggest breaches, bans, and privacy shifts right now.
Why your period tracker app is likely leaking reproductive health data
If you use period tracker apps for menstrual health monitoring, you are handing over intimate details to strangers. The Mozilla Foundation, partnering with Harvard’s Berkman Klein Center, audited six popular apps. The results were stark.
Stardust, an astrology-themed app, scored a 2 out of 10 on privacy. Why? Because it sends your birth control type, pregnancy status, and even symptoms like tender breasts or stomach cramps to a third-party data firm. Mozilla researcher Shoshana Woudinsky noted the app pings trackers the moment it launches. Before you log a single symptom.
“The instant she logged a symptom… details went to analytics firm Ruderstack alongside a persistent user id,” Woudinsky found.
RudderStack routes that data onward. You cannot stop it within the app. Stardust also hands Facebook your ad identifier. The company claims no legal demand forced them to share data, but the default behavior is sharing everything.
Then there is Euki. A nonprofit-run tracker that scored a perfect 10. Why does it differ?
* No account required.
* Health data stays on your phone.
* It features a decoy screen if you are forced to open your device.
* Automatic deletion settings exist.
Its only flaw is an internal browser that loads web trackers. But it resets identifiers between visits. Do you trust astrology brands with your reproductive history? Maybe. Maybe not. The choice is yours.
FSB behind cyberattack on Polish electric grid infrastructure
Russia’s Federal Security Service (FSB) gets credit for spywork. The GRU handles the dirty work. Or so we thought.
Recent sanctions from the EU, UK, US CISA, FBI, and NSA paint a different picture. Center 16, a unit of the FSB, allegedly conducted a cyberattack on the Polish electric grid. It came very close to causing blackouts in both electricity and water utilities.
Initial reports blamed Sandworm (GRU Unit 74455). Cyber firms Dragos and Eset pointed the finger at the military unit known for its aggression against Ukraine. However, Poland’s CERT disputed that. They tied the attack to the FSB. Western governments now agree.
This matters because the FSB rarely executes destructive attacks. It suggests they are adopting the GRU’s reckless tactics. They are becoming more aggressive. The line between intelligence gathering and sabotage is blurring.
Kaspersky employee linked to Russian state-sponsored hacking
Kaspersky has long been suspected of ties to the Russian state. US officials banned its software for government use. Then for all customers. But overt proof was thin.
Reuters reports otherwise now. Denis Obrevko, facing hacking charges in Boston, allegedly worked at Kaspersky for two years. He joined before working at Yutek-NN.
At Yutek, he is accused of stealing data from NATO governments and eleven US companies. His alleged group is known as Void Blizzard, or Laundry Bear. Prior to Kaspersky? He supposedly worked at the FSB.
Obrevko denies the charges. He pleads not guilty. Kaspersky claims his employment role had nothing to do with these offenses. Yet the timeline is convenient. Work for the state. Work for Kaspersky. Steal data for the state again.
DHS missed two real cyber breaches
Anxiety is part of the job when you watch networks for hackers. Imagine missing them. Twice.
Hackers breached the Homeland Security Information Network (HSIN) two months ago. HSIN shares unclassified but highly sensitive data between agencies. Federal Emergency Management Agency analysts spotted signs in mid-May. Files altered. A web server hijacked. Logs deleted.
They ruled it a false positive.
Weeks later, the hackers returned. They were detected again. Dismissed again as a mirage.
Why the mistake? It might be “living off the land” techniques. These hackers use legitimate network features instead of planting obvious malware. It is hard to spot what looks normal. Senator Mark Warner warned this exposes risks to national security. Even unclassified data can be weaponized.
How Suno AI trained on copyrighted music
AI music generation is a legal minefield. Suno is the current target. A hacker breached the startup, exposing how it trains its models.
404 Media reviewed internal data. The findings show Suno scraped millions of songs from YouTube Music. Lyrics came from Genius. Audio came from Deezer. Plus stock libraries like Pond5.
The numbers are huge.
* 113,877 hours of YouTube audio alone.
* Tens of thousands of hours from other libraries.
* Roughly one million hours of podcasts targeted via PodcastIndex.
The hacker used a worm called Shai-Hulud to compromise an employee. They exposed account info for hundreds of thousands of users, including Stripe payments. Suno calls its training fair use. They settled with Warner Music Group in November. They say the leaked code was outdated. They say no sensitive info was lost.
But users say they weren’t notified. The scraping is confirmed. The industry allegation is substantiated. The question isn’t whether they scraped. It’s how much they kept.























