Adoption Data Breach Exposes Sensitive Records from Texas Nonprofit

At the end of June, security researcher Jeremiah Fowler discovered an unprotected 2.49GB database containing over 1.1 million records linked to the Gladney Center for Adoption, a Texas-based nonprofit. The exposed trove included adoption-related data such as names, addresses, phone numbers, emails, and unique child case identifiers, alongside sensitive records: biological parent identities, medical and mental health statuses, Child Protective Services interactions, and court order references. Fowler traced the database to Gladney after noting employee records among the files. Believing it stemmed from a CRM system migration, he notified the organization on June 25, received no reply, and tried again June 26. Within hours, the database was silently secured.

Fowler, alarmed by the vulnerability of affected children, told WIRED this was the first time in his career he encountered exposed adoption data. Gladney COO Lisa Schuessler stated the organization prioritizes security, works with external IT investigators, follows law enforcement protocols, and will notify impacted individuals if necessary. She declined to confirm Fowler’s findings directly, referring WIRED to the original statement, which emphasized ongoing efforts to strengthen Gladney’s systems.

The incident highlights the persistent risk of misconfigured cloud databases and the stakes when sensitive child welfare data—potentially protected by HIPAA and state privacy laws—is left exposed online.

Read: https://www.wired.com/story/adoption-agency-data-exposure-revealed-information-about-children-and-parents/

Matanbuchus 3.0 Expands Stealth Tactics with Teams Lures and Advanced Loader Features

Matanbuchus, a malware-as-a-service first hawked in February 2021 on Russian-speaking cybercrime forums for \$2,500, has reemerged in version 3.0 with stealthier payload delivery. Unlike spammy commodity loaders, it’s deployed via live social engineering—e.g., impersonated IT desk agents on Microsoft Teams luring employees into using Quick Assist to run a PowerShell script. The malware masquerades as a Notepad++ updater (GUP), hiding a tweaked XML config and malicious DLL. Once launched, it collects system data, scans for security tools, and reports to its C2 server, which sends MSI or EXE payloads. It persists via shellcode-injected COM-based scheduled tasks and can execute regsvr32, rundll32, msiexec, or process hollowing. Features include in-memory execution, CMD/PowerShell reverse shells, WQL query support, and LOLBin usage. Matanbuchus 3.0 rents for \$10K/month (HTTPS) or \$15K (DNS). Researchers at Morphisec, including CTO Michael Gorelik, link its tactics to access brokers and Black Basta, reflecting a trend of malware abusing Teams and Zoom.

Read: https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html

Bluesky Implements UK Age Checks Amid Privacy Backlash Over Online Safety Law

Bluesky, the decentralized social media platform, is rolling out age checks for UK users to comply with the Online Safety Act, a 2023 law compelling platforms to verify user ages before granting access to potentially “harmful” content. Enforcement begins July 25, 2025. Non-compliance carries penalties of up to £18 million or 10% of global revenue. Bluesky users in the UK will be prompted to verify their age using one of several methods: facial scanning, ID upload, or payment card entry.

The age verification process is handled by Kid Web Services (KWS), a tool built by *Fortnite* developer Epic Games to support age-gating and parental control on digital platforms. Verification begins with email registration through KWS, after which users receive instructions to complete the process. Those under 18, or anyone declining to verify, won’t be banned but will face feature restrictions—such as blocked access to adult content and disabled direct messaging.

The law has alarmed digital rights advocates, who warn it could erode free speech and privacy by tethering online speech to real-world identities. Critics argue this linkage creates a chilling effect, especially on pseudonymous expression. Screenshots shared by Bluesky preview the upcoming changes, which are central to the UK government’s broader digital identity agenda.

Read: https://reclaimthenet.org/digital-id-bluesky-to-launch-age-checks-in-uk

TikTok Faces New Irish Data Probe and UK Fine Over EU User Data Storage in China

On July 10, the Irish Data Protection Commission (DPC) launched a new inquiry into TikTok’s storage of EU user data on servers in China, just two months after issuing a €530 million fine for allowing China-based ByteDance staff to access such data. The new probe, however, shifts focus from access to storage—an issue not covered in the previous four-year investigation, during which TikTok repeatedly insisted no EU data was stored in China. Yet in April, TikTok admitted it discovered in February that a small amount of such data had been stored there, later removed.

TikTok, with European headquarters in Dublin, is challenging the DPC’s sanction, warning that it could set a precedent affecting cross-border data operations across multiple industries. Meanwhile, on the same day, the UK’s First-tier Tribunal confirmed that the Information Commissioner’s Office (ICO) has the legal authority to issue a Monetary Penalty Notice (MPN) to TikTok. This clears the way for a £12.7 million ($17.3 million) fine for breaches of the UK GDPR announced in April 2023.

Read: https://www.infosecurity-magazine.com/news/tiktok-handling-eu-user-data-china/

Grappling With Existential Panic Over AI

From the desk of easyDNS CEO Mark Jeftovic

This morning I sent an internal email to the team talking about ways to better leverage our documentation to provide 2nd tier support, via an internal chatbot trained up with our own help docs and “tribal wisdom” that’s been generated within the team over the years, but never harnessed in a coherent manner.

That revived a theme I’ve been thinking about over the wider implications AI for some time now, starting with a kind of existentially terrifying “aha” moment I had over the Christmas holidays.

Read about it here:
https://easydns.com/blog/2025/07/16/grappling-with-existential-panic-over-ai/

Nvidia Urges ECC Defenses After First Rowhammer Attack on GPUs Cuts AI Accuracy to Near Zero

Nvidia is urging customers of its RTX A6000 GPUs—used heavily in HPC and available via AWS, Runpod, and Lambda Cloud—to enable ECC protections that may degrade performance by up to 10%, in response to GPUhammer: the first successful Rowhammer attack on discrete GPUs and GDDR6 memory. Developed by University of Toronto researchers Gururaj Saileshwar, Chris S. Lin, and Joyce Qu, GPUhammer flips a single bit in the exponent of a deep learning model weight, altering it by 2¹⁶ and dropping accuracy from 80% to 0.1%—“catastrophic brain damage,” as Saileshwar put it. Vulnerable models include 3D U-Net, widely used in medical imaging.

Unlike prior Rowhammer exploits targeting DDR-based CPU memory, this one targets GDDR memory soldered onto GPUs, with proprietary bank mappings and inaccessible physical addresses, making the attack novel and difficult. GDDR6’s high latency and refresh rates complicate hammering, and ECC—while helpful—uses SECDED, which corrects single-bit but not triple-bit flips, risking undetected or miscorrected errors.

While GPUhammer was demonstrated on the A6000, researchers suspect other GDDR6-based Ampere GPUs are also vulnerable. Newer chips like the H100 (HBM3) and RTX 5090 (GDDR7) feature on-die ECC, potentially more resilient but untested. The research will be presented at the 2025 Usenix Security Conference.

Read: https://arstechnica.com/security/2025/07/nvidia-chips-become-the-first-gpus-to-fall-to-rowhammer-bit-flip-attacks/