An anonymous reader quotes a report from TechCrunch: Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims' phones. In a notice on its website in both English and Polish, LetMeSpy confirmed the "permanent shutdown" of the spyware service and that it would cease operations by the end of August. The notice said LetMeSpy is blocking users from logging in or signing up with new accounts. A separate notice on LetMeSpy's former login page, which no longer functions, confirmed earlier reports that the hacker who breached the spyware operation also deleted the data on its servers. "The breach consisted of unauthorized access to the LetMeSpy website's database, downloading and at the same time deleting data from the website by the author of the attack," the notice reads. LetMeSpy's app no longer functions, a network traffic analysis by TechCrunch shows, and the spyware maker's website no longer provides the spyware app for download.

LetMeSpy was an Android phone monitoring app that was purposefully designed to stay hidden on a victim's phone home screen, making the app difficult to detect and remove. When planted on a person's phone -- often by someone with knowledge of their phone passcode -- apps like LetMeSpy continually steal that person's messages, call logs and real-time location data. A copy of the database was obtained by nonprofit transparency collective DDoSecrets, which indexes leaked datasets in the public interest, and shared with TechCrunch for analysis. The data showed that LetMeSpy, until recently, had been used to steal data from more than 13,000 compromised Android devices worldwide, though LetMeSpy's website claimed prior to the breach that it controlled more than 236,000 devices. The database also contained information that shows the spyware was developed by a Krakow-based tech company called Radeal, whose chief executive Rafal Lidwin did not respond to a request for comment.

The next time you want a quick gut check on whether a sentence is grammatically accurate, Google Search might have the answer. From a report: 9to5Google has spotted a "grammar check" feature that will offer suggestions on whether a given phrase is grammatically accurate. For example, type "the quick brown fox jump over the lazy dog" into the search engine and Google will highlight that you probably meant "jumps" instead of "jump." Although most people probably don't care about the grammar of their search phrases, we suspect this tool is meant to be more general purpose. If one of your sentences looks off when you type it into a messaging app for example, Google's hope seems to be that you'll give it a check with Google Search -- because anything that encourages more searches and engagement is good for business.

Long-time Slashdot reader SonicSpike quotes this article from BleepingComputer: A team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%...

Such an attack severely affects the target's data security, as it could leak people's passwords, discussions, messages, or other sensitive information to malicious third parties. Moreover, contrary to other side-channel attacks that require special conditions and are subject to data rate and distance limitations, acoustic attacks have become much simpler due to the abundance of microphone-bearing devices that can achieve high-quality audio captures. This, combined with the rapid advancements in machine learning, makes sound-based side-channel attacks feasible and a lot more dangerous than previously anticipated.
The researchers achieved 95% accuracy from the smartphone recordings, 93% from Zoom recordings, and 91.7% from Skype.

The article suggests potential defenses against the attack might include white noise, "software-based keystroke audio filters," switching to password managers — and using biometric authentication.

Even Zoom is now telling its 8,400 employees to stop working remotely at least two days a week and return to the office. The policy applies to employees within 50 miles of a Zoom office ith a Zoom spokesperson calling this hybrid approach the "most effective".

Business Insider quips that Zoom making the move means "The remote work revolution is officially dead."

And earlier this week The Los Angeles Times argues that "After watching and waiting, some chaotic back-and-forth and a few false starts, the white-collar American workforce appears to be settling — for now — in a hybrid mode." Even as more corporations are moving to call workers back to the office, arguing it's better for preserving company culture and decision-making, few employers have required employees to work on-site five days a week. Most are like Meta and Los Angeles-based Farmers Group, which recently announced that most employees who had been working remotely will have to come in three days a week starting in September.

Some firms have backtracked in favor of a more flexible system, or put return-to-office plans on ice, because of worker resistance and other changes wrought by the pandemic... [M]any other companies have stayed silent on the issue of remote work, maintaining vague or largely unenforced policies as they wait to see where the struggle ends. More unions, including the guild at the Los Angeles Times, are wrestling with management over remote work, which has become a top labor issue. For all these reasons, the overall amount of work done from home has held remarkably steady this year at about 28%, according to monthly surveys of thousands of workers by WFH Research, a group including Stanford and the University of Chicago. That's way up from roughly 5% of work done at home before COVID-19.

And there are some signs that employers are giving workers greater flexibility in their work schedules and when they can work from home. In a nationwide survey conducted last month for The Times by polling firm Leger, 27% of full-time workers said their employers had become more lenient over the last year about working remotely. Only 15% said their employers got stricter. Most of the rest said there was no change. Leger's survey showed that 11% of full-time employees work 100% from home, and 31% work a hybrid schedule, with most saying they choose which days to come into the office. The remainder said that they work fully on company premises or that their jobs aren't compatible with at-home work. These results line up almost exactly with WFH data...

Rob Sadow, chief executive at Scoop Technologies, a firm specializing in flexible-work software and research, says the percentages of employers that are fully remote and fully in-office have both declined since the start of the year. What's grown in their place is a "structured" hybrid model in which employees and employers have essentially split the difference. "This two to three days a week is starting to feel like a pretty decent, happy medium," Sadow said. "Executives and employees are finding somewhat of a truce in terms of how much time is spent in the office and at home."
The article also points out that "Some employees have quit and moved to more remote-work friendly firms."

For storing passwords, Slashdot reader eggegick has a simple, easy solution: "I use Vim to keep my passwords in an encrypted file."

But what's the easiest solution for people who don't use Vim? My wife is not a Linux geek like I am, so she's using [free and open-source] KeePass. It's relatively simple to install and use, but I seem to recall it used to be even much simpler... Does anybody know of a really simple password manager or encrypting notepad?

I've looked at a number of them, and they use Java or Javascript, or they involve an external web site, or they have way too many features, or they use an installation program. Or Windows Defender objects to them.
Share your own suggestions and thoughts in the comments.

What's the best (encrypted) password manager?

Dumi, a Zimbabwean, fell for E-Creator's review-writing job, investing $112. When the company's director disappeared with $1M, his account was frozen, leaving him scammed. Rest of World reports: Thousands of Zimbabweans have been lured into a scam in hopes of making a quick buck, at a time when unemployment in the country is high: Estimates vary from 7.9% to 20%, or even 90%, according to the Zimbabwe Congress of Trade Unions. Alongside the job crisis, the country has been reeling under an inflation of more than 100%, with many struggling to make ends meet. Dumi, who previously worked as a clerk, told Rest of World he found it hard to get another job due to scarce opportunities. He said he joined the E-Creator scheme hoping he'd earn an income while waiting to find the job of his dreams. "Some of us living in marginalized townships such as Mbare, with no decent employment, jumped at an opportunity, which seemed to be so technologically significant and rewarding. Losing money in the process was unexpected," Dumi said, adding that he would not have joined the scheme if he had a job of his choice.

E-Creator agents told Rest of World they had taken up the role because they were unemployed or couldn't find enough work. They said they were lured by the promise of earning 10% returns for posting 10 fake reviews if they invested between $15 and $100. There were higher rewards promised for bigger investments: Depositing $100-$500 and recruiting five agents meant an additional 4.5% return; depositing $500-$2,000 and recruiting over 50 others would take earnings to the highest level of a 5% commision and a 10% base payout. While they could withdraw money from their E-Creator wallets, the lure of getting higher returns stopped them from doing so. Watson Manjobo, a former manager and affiliate marketer for E-Creator, told Rest of World the company owed him his salary for June. His job was to recruit more users and help people reset their account passwords. When news of Jiaotong's escape went viral, users flooded his phone with messages demanding answers, he said, adding that his direct superiors have since been unreachable.

A cyberattack has disrupted hospital computer systems in several states, forcing some emergency rooms to close and ambulances to be diverted, and many primary care services remained closed on Friday as security experts worked to determine the extent of the problem and resolve it. From a report: The "data security incident" began Thursday at facilities operated by Prospect Medical Holdings, which is based in California and has hospitals and clinics there and in Texas, Connecticut, Rhode Island and Pennsylvania. "Upon learning of this, we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists," the company said in a statement Friday. "While our investigation continues, we are focused on addressing the pressing needs of our patients as we work diligently to return to normal operations as quickly as possible." In Connecticut, the emergency departments at Manchester Memorial and Rockville General hospital were closed for much of Thursday and patients were diverted to other nearby medical centers.

[...] The FBI in Connecticut issued a statement saying it is working with "law enforcement partners and the victim entities" but could not comment further on an ongoing investigation. Elective surgeries, outpatient appointments, blood drives and other services were suspended, and while the emergency departments reopened late Thursday, many primary care services were closed on Friday, according to the Eastern Connecticut Health Network, which runs the facilities. Patients were being contacted individually, according to the network's website. Similar disruptions also were reported at other facilities system-wide.

An anonymous reader quotes a report from Wired: Travel rewards programslike those offered by airlines and hotels tout the specific perks of joining their club over others. Under the hood, though, the digital infrastructure for many of these programs -- including Delta SkyMiles, United MileagePlus, Hilton Honors, and Marriott Bonvoy -- is built on the same platform. The backend comes from the loyalty commerce company Points and its suite of services, including an expansive application programming interface (API).But new findings, published today by a group of security researchers, show that vulnerabilities in the Points.com API could have been exploited to expose customer data, steal customers' "loyalty currency" (like miles), or even compromise Points global administration accounts to gain control of entire loyalty programs. The researchers -- Ian Carroll, Shubham Shah, and Sam Curry -- reported a series of vulnerabilities to Points between March and May, and all the bugs have since been fixed.

"The surprise for me was related to the fact that there is a central entity for loyalty and points systems, which almost every big brand in the world uses," Shah says. "From this point, it was clear to me that finding flaws in this system would have a cascading effect to every company utilizing their loyalty backend. I believe that once other hackers realized that targeting Points meant that they could potentially have unlimited points on loyalty systems, they would have also been successful in targeting Points.com eventually." One bug involved a manipulation that allowed the researchers to traverse from one part of the Points API infrastructure to another internal portion and then query it for reward program customer orders. The system included 22 million order records, which contain data like customer rewards account numbers, addresses, phone numbers, email addresses, and partial credit card numbers. Points.com had limits in place on how many responses the system could return at a time, meaning an attacker couldn't simply dump the whole data trove at once. But the researchers note that it would have been possible to look up specific individuals of interest or slowly siphon data from the system over time.

Another bug the researchers found was an API configuration issue that could have allowed an attacker to generate an account authorization token for any user with just their last name and rewards number. These two pieces of data could potentially be found through past breaches or could be taken by exploiting the first vulnerability. With this token, attackers could take over customer accounts and transfer miles or other rewards points to themselves, draining the victim's accounts. The researchers found two vulnerabilities similar to the other pair of bugs, one of which only impacted Virgin Red while the other affected just United MileagePlus. Points.com fixed both of these vulnerabilities as well. Most significantly, the researchers found a vulnerability in the Points.com global administration website in which an encrypted cookie assigned to each user had been encrypted with an easily guessable secret -- the word "secret" itself. By guessing this, the researchers could decrypt their cookie, reassign themselves global administrator privileges for the site, reencrypt the cookie, and essentially assume god-mode-like capabilities to access any Points reward system and even grant accounts unlimited miles or other benefits.

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is "grossly irresponsible" and mired in a "culture of toxic obfuscation." The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were "negligent cybersecurity practices" that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure's role in the mass breach.

On Wednesday, Yoran took to LinkedIn to castigate Microsoft for failing to fix what the company said on Monday was a "critical" issue that gives hackers unauthorized access to data and apps managed by Azure AD, a Microsoft cloud offering for managing user authentication inside large organizations. Monday's disclosure said that the firm notified Microsoft of the problem in March and that Microsoft reported 16 weeks later that it had been fixed. Tenable researchers told Microsoft that the fix was incomplete. Microsoft set the date for providing a complete fix to September 28.

"To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank," Yoran wrote. "They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft." He continued: "Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix -- and only for new applications loaded in the service." In response, Microsoft officials wrote: "We appreciate the collaboration with the security community to responsibly disclose product issues. We follow an extensive process involving a thorough investigation, update development for all versions of affected products, and compatibility testing among other operating systems and applications. Ultimately, developing a security update is a delicate balance between timeliness and quality, while ensuring maximized customer protection with minimized customer disruption." Microsoft went on to say that the initial fix in June "mitigated the issue for the majority of customers" and "no customer action is required."

In a separate email, Yoran responded: "It now appears that it's either fixed, or we are blocked from testing. We don't know the fix, or mitigation, so hard to say if it's truly fixed, or Microsoft put a control in place like a firewall rule or ACL to block us. When we find vulns in other products, vendors usually inform us of the fix so we can validate it effectively. With Microsoft Azure that doesn't happen, so it's a black box, which is also part of the problem. The 'just trust us' lacks credibility when you have the current track record."

Google is making it a lot easier to find and remove your contact information from its search results. From a report: The company will now send out notifications when it finds your address, phone number, or email on the web, allowing you to review and request the removal of that information from Search. All this takes place from Google's "results about you" dashboard on mobile and web, which it first rolled out last September. With the update, you can find your information on Google without actually having to conduct the search yourself. Once you input your personal information, the dashboard will automatically pull up websites that contain any matches, letting you review each webpage it appears on and then submit a request to remove it.

For over a decade, Backblaze's quarterly reports on the annualized failure rates (AFRs) of its substantial hard disk drives inventory have offered a peek into long-term storage utilization. The company, known for its backup and cloud storage services, has now disclosed data for the second quarter of 2023, revealing a fascinating rise in AFRs. ArsTechnica: Today's blog post details data for 240,940 HDDs that Backblaze uses for data storage around the world. There are 31 different models, and Backblaze's Andy Klein, who authored the blog, estimated in an email to Ars Technica that 15 percent of the HDDs in the dataset, including some of the 4, 6, and 8TB drives, are consumer-grade. The dataset doesn't include boot drives, drives in commission for testing purposes, or drive models for which Backblaze didn't have at least 60 units. One of the biggest revelations from examining the drives from April 1, 2023, through June 30, 2023, was an increase in AFR from Q1 2023 (1.54 percent) to Q2 2023 (2.28 percent). Backblaze's Q1 dataset examined 237,278 HDDs across 30 models. Of course, that AFR increase alone isn't enough to warrant any panic.

Since quarterly AFR numbers are "volatile," Klein told Ars Technica, Backblaze further evaluates both quarter-to-quarter and lifetime trends "to see if what happened was an anomaly or something more." So, Klein started digging further by grouping the drives by capacity. This is because, as Klein explained to Ars: "A Backblaze storage vault consists of 1,200 drives of the same size, with 60 drives in 20 storage servers. If we grouped the drives strictly by age and wanted to replace just the oldest drives in a given Backblaze vault, we would only replace those drives in the vault that met the old age criteria, not all the drives. Then, a year from now, we'd do it again, and the year after that, etc. By using the average age by drive size, we can, as appropriate, replace/upgrade all of the drives in a vault at once."

An anonymous reader shares a report: When Microsoft releases new test builds of Windows, there are usually a handful of features that are announced but only actually enabled for a small subset of testers. Sometimes it's because the company is A/B testing a couple of different versions of the same thing or because Microsoft wants to roll out major changes to a few users before rolling them out to everyone. Users normally have little control over whether new features actually appear in their Windows beta installs, but Microsoft has internal software called StagingTool that its own developers can use to switch things on and off themselves.

And now StagingTool has leaked to the public, thanks to a "bug bash" the company is running this week to find and fix problems before the next big batch of new Windows features releases this fall. As reported by The Verge, some bug bash participants were sent on "quests" that explicitly mentioned using the StagingTool to turn on specific features. Those quests and the tool itself have since been removed from Microsoft's servers, but StagingTool is already being freely distributed among Windows enthusiasts who want more control over the features they see.

Printer manufacturer Canon is warning that sensitive Wi-Fi settings don't automatically get wiped during resets, so customers should manually delete them before selling, discarding, or getting them repaired to prevent the settings from falling into the wrong hands. From a report: "Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process," company officials wrote in an advisory on Monday. They went on to say that manual wiping should occur "when your printer may be in the hand of any third party, such as when repairing, lending or disposing the printer."

Like many printers these days, those from Canon connect to networks over Wi-Fi. To do this, users must provide the SSID name, the password preventing unauthorized access to the network, and in some cases, additional information such as Wi-Fi network type, the local network IP address, the MAC address, and network profile. It would be reasonable to assume that performing a simple factory reset that returns all settings to their defaults would be enough to remove these settings, but Monday's advisory indicated that isn't necessarily the case. In the event this information is exposed, malicious actors could use them to gain unauthorized access to a network hosting a Canon printer.

Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won't keep hold of users' personal data. From a report: The group, Cult of the Dead Cow, has developed a coding framework that can be used by app developers who are willing to embrace strong encryption and forsake revenue from advertising that is targeted to individuals based on detailed profiles gleaned from the data most apps now routinely collect. The team is building on the work of such free products as Signal, which offers strong encryption for text messages and voice calls, and Tor, which offers anonymous web surfing by routing traffic through a series of servers to disguise the location of the person conducting the search.

The latest effort, to be detailed at the massive annual Def Con hacking conference in Las Vegas next week, seeks to provide a foundation for messaging, file sharing and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments. Called Veilid, and pronounced vay-lid, the code can be used by developers to build applications for mobile devices or the web. Those apps will pass fully encrypted content to one another using the Veilid protocol, its developers say. As with the file-sharing software BitTorrent, which distributes different pieces of the same content simultaneously, the network will get faster as more devices join and share the load, the developers say. In such decentralized "peer-to-peer" networks, users download data from each other instead of from a central machine.

Microsoft is making it a lot more convenient to use multiple high refresh rate monitors with Windows 11. From a report: The software giant has started testing a Windows 11 update that automatically adjusts refresh rates on multiple monitors depending on what content is being displayed, which should improve power usage and could even result in some GPUs spinning up their fans less often. "We have improved refresh rate logic to allow different refresh rates on different monitors, depending on the refresh rate for each monitor and content shown on the screen," explains Microsoft in a Windows Insider blog from last week. "This will help most with refresh rate-dependent multitasking, like playing a game and watching a video at the same time." If you have multiple monitors that support high refresh rates then running them at their full potential often increases the power draw of your GPU. Nvidia RTX 30- and 40-series Founders Edition cards also have a zero RPM mode, which will keep the fans at zero even when you're watching video content on a single monitor. If you add a second high refresh rate display, this often disables the zero RPM mode and means the GPU keeps its fans spinning if you have both monitors at high refresh rates.

"A significant swath of our downtown office space is sitting empty," writes a columnist for the Guardian. "New York, Chicago, Atlanta, Los Angeles, Denver, Philadelphia, San Francisco, Houston, Dallas and other big cities are experiencing record-high office vacancies as workers keep working from home and companies keep letting them..." Some face-time is necessary but we're never going to go back to a 100% in-the-office policy, and companies that attempt this will lose talent to those that adapt to the shift. All this means that a substantial amount of square feet in all those tall office buildings in our major metropolitan areas are going to remain empty. The owners of these properties are already feeling the pressure of meeting higher debt maintenance with lower lease revenue, with many facing default. Countless small businesses in downtown areas facing significantly less traffic are closing their doors. And unless something is done, those empty buildings — after the banks have repossessed them from bankrupt borrowers — will become derelict, inviting even more crime and homelessness. It's already happening.

So what to do? The good news is that there are many opportunities for the entrepreneurial.

For example, existing office floors can be turned into less expensive single units for startups and incubators who want to boast a downtown address. Some buildings in cities with a vibrant and residential downtown — like Philadelphia — could be turned into residences. Others that are burdened with older, unsafe, non-air-conditioned school structures could convert this space into classrooms for students. Or perhaps all the homeless people sleeping on the streets outside of these empty structures could be given a warm place to stay with medical and counselling support?

With the continuing boom in e-commerce, warehouse space remains costly but could become more affordable — and logistically accessible — in a downtown structure. Manufacturing space could be more accommodating, with a better location making it easier to procure workers. Other alternatives for these buildings already being considered include vertical farming, storage facilities, gyms and movie sets. Or what about taking the red pill and merely knocking these buildings down and creating open spaces, parks, museums or structures that are more amenable to this new era of downtown life?

Slashdot reader storagedude writes: A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography.

That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.

"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.

"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."

And as encrypted data stolen now can be decrypted later, the potential for "harvest now, decrypt later" attacks "is a quantum computing security problem that's already here."

Monday a researcher with Google Information Security posted about a new vulnerability he independently found in AMD's Zen 2 processors. Tom's Hardware reports: The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000/4000/5000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via JavaScript on a webpage...

AMD added the AMD-SB-7008 Bulletin several hours later. AMD has patches ready for its EPYC 7002 'Rome' processors now, but it will not patch its consumer Zen 2 Ryzen 3000, 4000, and some 5000-series chips until November and December of this year... AMD hasn't given specific details of any performance impacts but did issue the following statement to Tom's Hardware: "Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment..."

AMD describes the exploit much more simply, saying, "Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information."
The article includes a list of the impacted processors with a schedule for the release of the updated firmware to OEMs.

The Google Information Security researcher who discovered the bug is sharing research on different CPU behaviors, and says the bug can be patched through software on multiple operating systems (e.g., "you can set the chicken bit DE_CFG[9]") — but this might result in a performance penalty.

Thanks to long-time Slashdot reader waspleg for sharing the news.

An anonymous reader quotes a report from TechCrunch: U.S. government services contracting giant Maximus has confirmed that hackers exploiting a vulnerability in MOVEit Transfer accessed the protected health information of as many as 11 million individuals. Virginia-based Maximus contracts with federal, state and local governments to manage and administer government-sponsored programs, such as Medicaid, Medicare, healthcare reform and welfare-to-work. In an 8-K filing on Wednesday, Maximus confirmed that the personal information of a "significant number" of individuals was accessed by hackers exploiting a zero-day vulnerability in MOVEit Transfer, which the organization uses to "share data with government customers pertaining to individuals who participate in various government programs."

While Maximus hasn't yet been able to confirm the exact number of individuals impacted -- something the company expects to take "several more weeks" -- the organization said it believes hackers accessed the personal data, including Social Security numbers and protected health information, of "at least" 8 to 11 million individuals. If the latter, this would make the breach the largest breach of healthcare data this year -- and the most significant data breach reported as a result of the MOVEit mass-hacks. Maximus has not confirmed which specific types of health data were accessed and has not responded to TechCrunch's questions. In its 8-K filing, the company said it began notifying impacted customers and federal and state regulators, adding that it expects the security incident to cost approximately $15 million to investigate and remediate. Clop, the Russia-linked data extortion group responsible for the MOVEit mass-hacks, claims to have stolen 169 gigabytes of data from Maximus, which it has not yet published. The report notes that "more than 500 organizations have so far been impacted by the MOVEit mass-hacks, exposing the personal information of more than 34.5 million people."

Apple will soon start cracking down on apps that collect data on users' devices in order to track them (aka "fingerprinting"), according to an article on its developer site. Engadget writes: Starting with the release of iOS 17, tvOS 17, watchOS 10 and macOS Sonoma, developers will be required to explain why they're using so-called required reason APIs. Apps failing to provide a valid reason will be rejected started in spring of 2024. "Some APIs... have the potential of being misused to access device signals to try to identify the device or user, also known as fingerprinting. Regardless of whether a user gives your app permission to track, fingerprinting is not allowed," Apple wrote.

"To prevent the misuse of certain APIs that can be used to collect data about users' devices through fingerprinting, you'll need to declare the reasons for using these APIs in your app's privacy manifest." The new rules could increase the rate of app rejections, some developers told 9to5Mac. For instance, an API called UserDefaults falls into the "required reason" category, but since it stores user preferences, it's used by a lot of apps.