Hackers breached financial services firm Prosper, stealing the personal data of roughly 17.6 million people, including Social Security numbers, income details, and government IDs. "We have evidence that confidential, proprietary, and personal information, including Social Security Numbers, was obtained, including through unauthorized queries made on Company databases that store customer information and applicant data. We will be offering free credit monitoring as appropriate after we determine what data was affected," the company says. "The investigation is still in its very early stages, but resolving this incident is our top priority and we are committed to sharing additional information with our customers as appropriate." BleepingComputer reports: Prosper operates as a peer-to-peer lending marketplace that has helped over 2 million customers secure more than $30 billion in loans since its founding in 2005. As the company disclosed one month ago on a dedicated page, the breach was detected on September 2, but Prosper has yet to find evidence that the attackers gained access to customer accounts and funds.

However, the attackers stole data belonging to Prosper customers and loan applicants. The company hasn't shared what information was exposed beyond Social Security numbers because it's still investigating what data was affected. Prosper added that the security breach didn't impact its customer-facing operations and that it has reported the incident to relevant authorities and is collaborating with law enforcement to investigate the attack. [...] The stolen information also includes customers' names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details. Have I Been Pwned revealed the extent of the incident on Thursday.

The U.S. is awash with scam text messages. Officials say it has become a billion-dollar, highly sophisticated business benefiting criminals in China. From a report: Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid traffic violations. The texts are ploys to get unsuspecting victims to fork over their credit-card details. The gangs behind the scams take advantage of this information to buy iPhones, gift cards, clothing and cosmetics.

Criminal organizations operating out of China, which investigators blame for the toll and postage messages, have used them to make more than $1 billion over the last three years, according to the Department of Homeland Security. Behind the con, investigators say, is a black market connecting foreign criminal networks to server farms that blast scam texts to victims. The scammers use phishing websites to collect credit-card information. They then find gig workers in the U.S. who will max out the stolen cards for a small fee. Making the fraud possible: an ingenious trick allowing criminals to install stolen card numbers in Google and Apple Wallets in Asia, then share the cards with the people in the U.S. making purchases half a world away.

Paxos mistakenly minted $300 trillion of PayPal's PYUSD stablecoin on Wednesday during an internal transfer. Within minutes, the company identified the error and burned the excess tokens. The transaction appeared on Etherscan, then was quietly reversed before any funds moved or users were harmed.

Paxos said there was no security breach and customer funds were safe. The amount exceeded all US dollars in circulation and surpassed the entire cryptocurrency market combined. Stablecoin issuers possess the power to create or delete billions in synthetic dollars instantly -- a capability that distinguishes them from Bitcoin transfers, which are irreversible. Tether mistakenly minted and burned $5 billion in USDT in 2019.

GrapheneOS, the privacy-focused Android fork once exclusive to Google Pixels, is partnering with a major Android OEM to bring its hardened, de-Googled OS to Snapdragon-powered flagship phones. Android Authority reports: Until now, GrapheneOS has been available only on Pixel phones, making Google's flagships popular among privacy enthusiasts, journalists, and, as a Spanish police report suggested earlier this year, even organized crime groups in Catalonia. But that Pixel exclusivity may end by 2026 or 2027. GrapheneOS revealed in a Reddit thread that it has been working with a "major Android OEM" since June 2025 to enable official support for "future versions of their existing models." These devices will reportedly use flagship Snapdragon chips, a notable shift from Google's in-house Tensor processors.

The project explained that only Pixels have met its strict security and update requirements so far. However, the new partnership suggests that another OEM is finally matching those standards. GrapheneOS also hinted that the mysterious partner's devices will be "priced similarly to Pixels" and available globally as part of the brand's standard lineup.

Boris Johnson's former adviser claims that China infiltrated a key UK government data-transfer network for years, compromising highly classified materials and prompting a Whitehall cover-up that prioritized Chinese investment over national security. The Times reports: Dominic Cummings, who served as a senior adviser to Boris Johnson, said that he and the then prime minister were informed about the breach in 2020 but that there had subsequently been a cover-up. He said he was warned at the time that disclosing some specific details of the breach would be a criminal offence. He claimed that the breach included some "Strap" material, which is the government term for the highest level of classified information.

The breach, which was confirmed by two other senior Whitehall sources, was said to have been connected to a Chinese-owned company involved in Britain's critical national infrastructure. Tom Tugendhat, a former Tory security minister, supported Cummings's account. Cummings said that he and Johnson were informed of the breach in the "bunker" of No 10 -- a reference to the secure room in Downing Street.

He told The Times: "The cabinet secretary said, 'We have to explain something; there's been a serious problem', and he talked through what this was. "And it was so bizarre that, not just Boris, a few people in the room were looking around like this -- 'Am I somehow misunderstanding what he's saying? Because it sounds f***ing crazy.'" He added: "What I'm saying is that some Strap stuff was compromised and vast amounts of data classified as extremely secret and extremely dangerous for any foreign entity to control was compromised. "Material from intelligence services. Material from the National Security Secretariat in the Cabinet Office. Things the government has to keep secret. If they're not secret, then there are very, very serious implications for it."

An anonymous reader quotes a report from BleepingComputer: U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.

F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products. BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide. [...]

F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance. To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.

Google is introducing new recovery tools that aim to make it less frustrating to regain access when you're locked out of your account. The Verge: Instead of answering security questions or entering a recovery email address, Google's new security features allow account holders to verify their identity using a linked mobile number, or trusted friends or family members.

The Recovery Contacts feature enables users to designate people to confirm their identity in order to regain access to accounts after getting hacked or losing their password or passkey. Google didn't specify how the verification process works, but says the feature provides "a simple and secure way to regain access when standard recovery methods fail." Recovery Contacts is available for eligible personal Google accounts, and can be found under the Security option in the account settings.

Roughly 200,000 Linux-based Framework laptops shipped with a signed UEFI shell command (mm) that can be abused to bypass Secure Boot protections -- allowing attackers to load persistent bootkits like BlackLotus or HybridPetya. Framework has begun patching affected models, though some fixes and DBX updates are still pending. BleepingComputer reports: According to firmware security company Eclypsium, the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.

The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.

Longtime Slashdot reader Gadi Evron writes: Bruce Schneier and Barath Raghavan say agentic AI is already broken at the core. In their IEEE Security & Privacy essay, they argue that AI agents run on untrusted data, use unverified tools, and make decisions in hostile environments. Every part of the OODA loop (observe, orient, decide, act) is open to attack. Prompt injection, data poisoning, and tool misuse corrupt the system from the inside. The model's strength, treating all input as equal, also makes it exploitable. They call this the AI security trilemma: fast, smart, or secure. Pick two. Integrity isn't a feature you bolt on later. It has to be built in from the start. "Computer security has evolved over the decades," the authors wrote. "We addressed availability despite failures through replication and decentralization. We addressed confidentiality despite breaches using authenticated encryption. Now we need to address integrity despite corruption."

"Trustworthy AI agents require integrity because we can't build reliable systems on unreliable foundations. The question isn't whether we can add integrity to AI but whether the architecture permits integrity at all."

An anonymous reader quotes a report from Ars Technica: Today is the official end-of-support date for Microsoft's Windows 10. That doesn't mean these PCs will suddenly stop working, but if you don't take action, it does mean your PC has received its last regular security patches and that Microsoft is washing its hands of technical support. This end-of-support date comes about a decade after the initial release of Windows 10, which is typical for most Windows versions. But it comes just four years after Windows 10 was replaced by Windows 11, a version with stricter system requirements that left many older-but-still-functional PCs with no officially supported upgrade path. As a result, Windows 10 still runs on roughly 40 percent of the world's Windows PCs (or around a third of US-based PCs), according to StatCounter data.

But this end-of-support date also isn't set in stone. Home users with Windows 10 PCs can enroll in Microsoft's Extended Security Updates (ESU) program, which extends the support timeline by another year. [...] Home users can only get a one-year stay of execution for Windows 10, but IT administrators and other institutions with fleets of Windows 10 PCs can also pay for up to three years of ESUs, which is also roughly the amount of time users can expect new Microsoft Defender antivirus updates and updates for core apps like Microsoft Edge. Obviously, Microsoft's preferred upgrade path would be either an upgrade to Windows 11 for PCs that meet the requirements or an upgrade to a new PC that does support Windows 11. It's also still possible, at least for now, to install and run Windows 11 on unsupported PCs. Your day-to-day experience will generally be pretty good, though installing Microsoft's major yearly updates (like the upcoming Windows 11 25H2 update) can be a bit of a pain.

An anonymous reader quotes a report from The Register: Security researchers have resurrected a 12-year-old data-stealing attack on web browsers to pilfer sensitive info from Android devices. The attack, dubbed Pixnapping, has yet to be mitigated. Conceptually, it's the equivalent of a malicious Android app being able to screenshot other apps or websites. It allows a malicious Android application to access and leak information displayed in other Android apps or on websites. It can, for example, steal data displayed in apps like Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). It can even steal 2FA codes from Google Authenticator.

"First, the malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering," explained [Alan Wang, a PhD candidate at UC Berkeley]. "Second, the malicious app picks the coordinates of a target pixel whose color it wants to steal. Suppose for example it wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator, and that this pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Third, the malicious app causes some graphical operations whose rendering time is long if the target pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the target app. Finally, the malicious app measures the rendering time per frame of the above graphical operations to determine whether the target pixel was white or non-white. These last few steps are repeated for as many pixels as needed to run OCR over the recovered pixels and guess the original content."

The researchers have demonstrated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Android 16 is the latest operating system version. Other Android devices have not been tested, but the mechanism that allows the attack to work is typically available. A malicious Android app implementing Pixnapping would not require any special permissions in its manifest file, the authors say. The researchers detail the attack in a paper (PDF) titled "Pixnapping: Bringing Pixel Stealing out of the Stone Age."

The FCC has forced major U.S. online retailers to remove millions of listings for prohibited Chinese-made electronics, including products from Huawei, ZTE, Hikvision, and Dahua, citing national security risks. Reuters reports: FCC Chair Brendan Carr said in an interview [on Friday] that the items removed are either on a U.S. list of barred equipment or were not authorized by the agency, including items like home security cameras and smart watches from companies including Huawei, Hangzhou Hikvision, ZTE, and Dahua Technology Company. Carr said companies are putting new processes in place to prevent future prohibited items as a result of FCC oversight. "We're going to keep our efforts up," Carr said. The FCC issued a new national security notice reminding companies of prohibited items including video surveillance equipment. Carr said the items could allow China to "surveil Americans, disrupt communications networks and otherwise threaten U.S. national security."

"Dutch authorities have temporarily nationalized Nexperia, owned by Chinese company Wingtech, over fears of critical product unavailability," writes longtime Slashdot reader evil_aaronm. Reuters reports: The Hague invoked never-before-used powers under a Dutch law known as the "Availability of Goods Act." The decision led to a 10% fall in Wingtech's shares in Shanghai on Monday. The Dutch government will not take ownership of Nexperia, but it will now have the power to reverse or block management decisions it considers harmful. The company's regular production is continuing. [...] Wingtech called the Dutch government's intervention in Nexperia, once part of Dutch electronics group Philips, "excessive interference driven by geopolitical bias." Wingtech also alleged that non-Chinese Nexperia executives had tried to forcibly alter the company's equity structure through legal proceedings in a "cloaked power grab" on the company.

A copy of an Amsterdam commercial court ruling dated October 7 and seen by Reuters showed that the court decided on October 1 to suspend Wingtech CEO Zhang Xuezheng from his position as executive director at Nexperia after finding "well founded reasons to doubt" the company was pursuing correct management policy or actions under Dutch civil law. It appointed Dutch businessman Guido Dierick to take Zhang's position with a "deciding vote", and transferred control of almost all of Nexperia's shares to a Dutch lawyer for management. The Dutch state and the company's labour council had supported the moves, the document showed. [...]

In its statement, the Dutch government said that administrative problems at Nexperia posed a threat to the company's "crucial technological knowledge" without elaborating. "The loss of these capabilities could pose a risk to Dutch and European economic security," it said. Nexperia is one of the world's largest makers of simple computer chips such as diodes and transistors, though it also develops more advanced technologies such as "wide gap" semiconductors used in electrical settings and useful for electric cars, chargers and AI data centres. Wingtech said in a filing to the Shanghai stock exchange on Monday that its control over Nexperia would be temporarily restricted due to the Dutch order and court rulings, affecting decision making and operational efficiency.

"It's not just you: Flatpak flat-out doesn't work in the new Ubuntu 25.10 release," writes the blog OMG Ubuntu: While Flatpak itself can be installed using apt, trying to install Flatpaks with Flatpak from the command-line throws a "could not unmount revokefs-fuse filesystem" error, followed by "Child process exited with code 1". For those who've installed the Ubuntu 'Questing Quokka' and wanted to kit it out with their favourite software from Flathub, it's a frustrating road bump.

AppArmor, the tool that enforces Ubuntu's security policies for apps, is causing the issue. According to the bug report on Launchpad, the AppArmor profile for fusermount3 lacks the privileges it needs to work properly in Ubuntu 25.10. Fusermount3 is a tool Flatpak relies on to mount and unmount filesystems... This is a bug and it is being worked on. Although there's no timeframe for a fix, it is marked as critical, so will be prioritised.
The bug was reported in early September, but not fixed in time for this week's Ubuntu 25.10 release, reports Phoronix: Only [Friday] an updated AppArmor was pushed to the "questing-proposed" archive for testing. Since then... a number of users have reported that the updated AppArmor from the proposed archive will fix the Flatpak issues being observed. From all the reports so far it looks like that proposed update is in good shape for restoring Flatpak support on Ubuntu 25.10. The Ubuntu team is considering pushing out this update sooner than the typical seven day testing period given the severity of the issue.
More details from WebProNews: Industry insiders point out that AppArmor, Ubuntu's mandatory access control system, was tightened in this release to enhance security... This isn't the first time AppArmor has caused friction; similar issues plagued Telegram Flatpak apps in Ubuntu 24.04 LTS earlier this year, as noted in coverage from OMG Ubuntu.

The Register reports: Over the past two years, the open source curl project has been flooded with bogus bug reports generated by AI models. The deluge prompted project maintainer Daniel Stenberg to publish several blog posts about the issue in an effort to convince bug bounty hunters to show some restraint and not waste contributors' time with invalid issues. Shoddy AI-generated bug reports have been a problem not just for curl, but also for the Python community, Open Collective, and the Mesa Project.

It turns out the problem is people rather than technology. Last month, the curl project received dozens of potential issues from Joshua Rogers, a security researcher based in Poland. Rogers identified assorted bugs and vulnerabilities with the help of various AI scanning tools. And his reports were not only valid but appreciated. Stenberg in a Mastodon post last month remarked, "Actually truly awesome findings." In his mailing list update last week, Stenberg said, "most of them were tiny mistakes and nits in ordinary static code analyzer style, but they were still mistakes that we are better off having addressed. Several of the found issues were quite impressive findings...."

Stenberg told The Register that about 50 bugfixes based on Rogers' reports have been merged. "In my view, this list of issues achieved with the help of AI tooling shows that AI can be used for good," he said in an email. "Powerful tools in the hand of a clever human is certainly a good combination. It always was...!" Rogers wrote up a summary of the AI vulnerability scanning tools he tested. He concluded that these tools — Almanax, Corgea, ZeroPath, Gecko, and Amplify — are capable of finding real vulnerabilities in complex code.
The Register's conclusion? AI tools "when applied with human intelligence by someone with meaningful domain experience, can be quite helpful."

jantangring (Slashdot reader #79,804) has published an article on Stenberg's new position, including recently published comments from Stenberg that "It really looks like these new tools are finding problems that none of the old, established tools detect."

Cryptologist/CS professor Daniel J. Bernstein is alleging that America's National Security Agency is attempting to influence NIST post-quantum cryptography standards.

Bernstein first emphasizes that it's normal for post-quantum cryptography (or "PQ") to be part of "hybrid" security that also includes traditional pre-quantum cryptography. (Bernstein says this is important because since 2016, "We've seen many breaks of post-quantum proposals...")

"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ." Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...

[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]

What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.
This seems to be a speculative scenario. But Bernstein is also concerned about how the Internet Engineering Task Force handled two drafts specifying post-quantum encryption mechanisms for TLS ("the security layer inside HTTPS and inside various other protocols"). For a draft suggesting "non-hybrid" encryption, there were 20 statements of support (plus 2 more only conditionally supporting it), but 7 more statements unequivocally opposing adoption, including one from Bernstein. The IETF has at times said they aim for "rough consensus" — or for "broad consensus" — but Bernstein insists 7 opposers in a field of 29 (24.13%) can't be said to match the legal definition of consensus (which is "general agreement"). "I've filed a formal complaint regarding the claim of consensus to adopt."

He's also written a second blog post analyzing the IETF's decision-making process in detail. "It's already bad that the IETF TLS working group adopted non-hybrid post-quantum encryption without official answers to the objections that were raised. It's much worse if the objections can't be raised in the first place."

Thanks to alanw (Slashdot reader #1,822) for spotting the blog posts.

I uploaded a photo on my phone to Microsoft's "OneDrive" file-hosting app — and there was a surprise waiting under Privacy and Permissions. "OneDrive uses AI to recognize faces in your photos..."

And...

"You can only turn off this setting 3 times a year."



If I moved the slidebar for that setting to the left (for "No"), it moved back to the right, and said "Something went wrong while updating this setting." (Apparently it's not one of those three times of the year.)

The feature is already rolling out to a limited number of users in a preview, a Microsoft publicist confirmed to Slashdot. (For the record, I don't remember signing up for this face-recognizing "preview".) But there's a link at the bottom of the screen for a "Microsoft Privacy Statement" that leads to a Microsoft support page, which says instead that "This feature is coming soon and is yet to be released." And in the next sentence it's been saying "Stay tuned for more updates" for almost two years...

A Microsoft publicist agreed to answer Slashdot's questions...

An anonymous reader quotes a report from Ars Technica: Bose will brick key features of its SoundTouch Wi-Fi speakers and soundbars soon. On Thursday, Bose informed customers that as of February 18, 2026, it will stop supporting the devices, and the devices' cloud-based features, including the companion app, will stop working. The SoundTouch app enabled numerous capabilities, including integrating music services, like Spotify and TuneIn, and the ability to program multiple speakers in different rooms to play the same audio simultaneously.

Bose has also said that some saved presets won't work and that users won't be able to change saved presets once the app is gone. Additionally, Bose will stop providing security updates for SoundTouch devices. The Framingham, Massachusetts-headquartered company noted to customers that the speakers will continue being able to play audio from a device connected via AUX or HDMI. Wireless playback will still work over Bluetooth; however, Bluetooth is known to introduce more latency than Wi-Fi connections. Affected customers can trade in their SoundTouch product for a credit worth up to $200.

In its notice sent to customers this week, Bose provided minimal explanation for end-of-life-ing its pricey SoundTouch speakers, saying: "Bose SoundTouch systems were introduced into the market in 2013. Technology has evolved since then, and we're no longer able to sustain the development and support of the cloud infrastructure that powers this older generation of products. We remain committed to creating new listening experiences for our customers built on modern technologies."

Apple is finalizing a deal to acquire the team and computer vision technology of Prompt AI. CNBC reports: Leadership at Prompt told employees of the pending transaction at an all-hands meeting on Thursday and said that those who don't end up joining Apple will be paid a reduced salary, and encouraged to apply for open roles at the company, according to audio that was accessed by CNBC.

Prompt was founded in 2023 and raised a $5 million seed round that year led by AIX and Abstract Ventures. Co-founders include CEO Tete Xiao, a notable AI researcher with a Phd in computer science from UC Berkeley, and President Trevor Darrell who was a founder of the Berkeley Artificial Intelligence Research (BAIR) lab. Investors will get paid some money in the deal but "won't be made whole," executives said in the meeting. Prompt employees were asked to refrain from mentioning Apple until further notice while searching for other jobs or updating friends and family on their situation.

Prompt's flagship app, Seemour, connects to home security cameras, adding sophisticated capabilities. The technology helps cameras detect specific people, pets and other animals or objects around a household, and to send alerts and text-based descriptions of unusual activity or answer questions about what's been happening in front of the camera. Xiao told employees at the meeting that while Prompt AI's technology and the Seemour app were working well, the business model wasn't. The company is retiring the Seemour app, and plans to inform users their data will be deleted and privacy protected, executives said.

A new HSBC survey shows that over half of wealthy entrepreneurs are considering moving abroad, not for tax reasons but for business expansion, investment access, and lifestyle improvements. Singapore tops the list of preferred destinations, followed by the UK, Japan, and Switzerland -- while the U.S. has slipped to fifth place. CNBC reports: The bank polled 2,939 business owners with at least $2 million in investible assets or a total net worth of $20 million during April and May of this year. A whopping 57% reported they were considering adding a new residence over the next 12 months, up from 55% in last year's survey. Wanderlust is greater among Gen Z entrepreneurs, with just over three-quarters in that cohort reporting they were considering a move.

When asked about their reasons for moving to a new country, only a third of all respondents cited tax efficiency as a motivator. Tax savings ranked eighth overall behind other factors such as improved security and safety (47%) and better education opportunities (52%). Respondents to the survey could select multiple options. The most popular motives at 67% each were to expand their business to new markets or to gain access to new investment opportunities. The desire for a better quality of life came in a close third at 63%. Taxes, the report said, "create acres of news coverage, but among the majority of our entrepreneurs, this does not appear to be the deciding factor about where to live."