Spotify Probes Alleged Massive Music Scrape and DRM Circumvention

Spotify is investigating an alleged large-scale scrape of its platform after a third party accessed audio files and metadata without authorization. In a statement to *Android Authority*, Spotify said an investigation found that public metadata was scraped and illicit methods were used to circumvent DRM protections to obtain audio content.

The incident allegedly involved the extraction of roughly 300 TB of data, including about 86 million tracks—around 37% of Spotify’s total catalog but accounting for 99.9% of all listens. Most of the audio files are reportedly preserved in Spotify’s original OGG Vorbis 160 kbps format, with tracks showing zero popularity re-encoded at 75 kbps to reduce storage size.

In addition to audio, the scrape includes approximately 256 million rows of metadata organized into queryable SQL databases, covering nearly all listening activity, as well as a near-lossless reconstruction of Spotify’s API containing 186 million unique ISRCs and complete album, artist, and artwork information. Spotify says it is continuing to investigate the scope and impact of the incident.

More via Tom’s Hardware

MongoBleed: Critical MongoDB Exploit Goes Public Over the Holidays

A critical MongoDB vulnerability, CVE-2025-14847, which allows unauthenticated memory reads, affects every version released over the past decade. On Christmas Day, an individual linked to Elastic Security released the first public exploit, while OX Security shared technical details on Christmas Eve, including analysis involving zlib. Patches exist, but unpatched systems remain at risk.

Dubbed “MongoBleed” after CitrixBleed, the exploit drastically lowers the barrier to attack. With just an IP address, attackers can scan memory for sensitive data, including plain-text database passwords and AWS secret keys.

With over 200,000 internet-facing MongoDB instances, the risk of mass exploitation is high. Detection is complicated, as the exploit author provided no guidance for logs or Elastic tools. The recommended response: stay calm and patch all internet-facing MongoDB deployments immediately.

More via Double Pulsar

California Launches Nation’s Strictest Data Deletion Law

California’s new privacy law, effective January 1, gives residents a single way to stop data brokers from collecting and selling personal information. Over 500 brokers gather data from automakers, tech and device companies, and restaurants—including financial records, purchases, habits, travel, and family information—for marketers and investigators. The DROP (Delete Request and Opt-out Platform) forwards one deletion request to all brokers, who must delete matching records and inferences within 45 days unless legally exempt. Californians must verify residency and provide identifiers like VINs and advertising IDs. CalPrivacy ensures the data is used solely for deletion. While currently limited to California, the law could set a nationwide precedent.

More via Ars Technica

Apple Warns Users of Government Spyware Attacks

Jay Gibson, a former spyware developer, was shocked when Apple warned that his iPhone had been targeted by a “mercenary spyware attack.” Apple, Google, and WhatsApp are increasingly alerting users to government-linked spyware from companies such as Intellexa, NSO Group, and Paragon Solutions, though they do not provide hands-on support. Google advises enabling multi-factor authentication and its Advanced Protection Program, while Apple recommends Lockdown Mode. Security experts, including Mohammed Al-Maskati, stress keeping devices updated, avoiding suspicious links, and monitoring unusual activity.

Users can perform preliminary checks themselves using the Mobile Verification Toolkit (MVT) or seek professional help from organizations including Access Now, Amnesty International, Citizen Lab, Reporters Without Borders, iVerify, Safety Sync Group, Hexordia, Lookout, or Costin Raiu’s TLPBLACK. Modern spyware often steals data and erases traces, and victims may choose whether to publicly disclose attacks.

More via Tech Crunch

Critical D-Link DSL Vulnerability Under Active Exploitation

A critical flaw, CVE-2026-0625 (CVSS 9.3), affects legacy D-Link DSL routers—DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B—with 2016–2019 firmware. The “dnscfg.cgi” endpoint allows unauthenticated remote code execution and DNS control via the “DNSChanger” mechanism. Exploitation was observed by Shadowserver on November 27, 2025. Many impacted devices are end-of-life and unpatchable. D-Link began an internal investigation after a VulnCheck report on December 16, 2025; detecting affected models requires direct firmware inspection. The flaw enables silent DNS redirection, interception, or blocking across all downstream devices, replicating past DNS hijacking campaigns. Organizations using these routers face elevated operational risk and are urged to retire or upgrade them immediately.

More via The Hacker News

Elsewhere Online

Massive Android Botnet Kimwolf Reaches Two Million Infections Globally

Read: https://www.securityweek.com/kimwolf-android-botnet-grows-through-residential-proxy-networks/

Energy and Medical Sectors in Taiwan Face Unprecedented Chinese Cyber Assault

Read: https://www.infosecurity-magazine.com/news/china-intensifies-cyberattacks/

Iranian Cybercriminal Auctions Stolen Data from 50 Major Corporations

Read: https://hackread.com/lone-hacker-infostealers-global-companies-data/

Black Cat Gang Uses SEO Poisoning to Distribute Data Stealing Malware

Read: https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html

Critics Warn German Transparency Act Threatens Decades of Press Protections

Read: https://reclaimthenet.org/germany-political-ad-transparency-bill-press-surveillance

Previously on #AxisOfEasy