US Hands Over Russian Cybercriminals in WSJ Reporter Prisoner Swap

If it seems like there’s suddenly a whole lot more data breaches, you may be right. Part of this apparent spike is thanks to the growing popularity of infostealer malware. These types of malicious software are increasingly being used by cybercriminals to scoop up as many login credentials and other sensitive data as possible. That stolen data is then sold on criminal hacker forums, then used to break into victims’ accounts, which can include those of massive corporations. It’s a good reminder to always enable multi-factor authentication anywhere it’s available.

A security researcher this week disclosed the discovery of more than a dozen unsecured databases containing sensitive information on voters in counties across Illinois. The data, which was stored by a government contractor, includes driver’s license numbers, Social Security numbers, death certificates, and more. While election security has generally improved in recent years, the episode illuminates how difficult it can be to protect all voter data all the time.

The history of confidential FBI informants is long and sordid—and ongoing. A WIRED investigation published this week revealed how one informant infiltrated far-right groups and turned over their secrets to the Feds—all while pushing hateful ideologies that helped inspire a new generation of violent extremists online.

Hacking computers with lasers has always been a rich person’s game—until now. Security researchers Sam Beaumont and Larry “Patch” Trowell are releasing an open source laser hacking tool called RayV Lite, which can be produced for just $500, a tiny fraction of the $150,000 price tag of laser equipment historically used for hardware hacking. The pair will be detailing the RayV Lite at the Black Hat security conference next week in Las Vegas. (WIRED will be on the ground for Black Hat and Defcon, the other big security conference happening next week in Vegas, so check back for our full coverage starting on Tuesday.)

Finally, we dove into the fine print of OpenAI’s ChatGPT-4o to lay out the privacy wins and pitfalls of the generative AI tool.

But that’s not all. Each week, we round up the big security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

In a historic prisoner swap between the US and Russia, Wall Street Journal reporter Evan Gershkovich and former Marine Paul Whelan were freed from Russian detention on Thursday. The White House said the secret deal, negotiated for over a year, involved 24 prisoners: 16 moved from Russia to the West and eight from the West to Russia, including two cybercriminals. NBC News reports this is likely the first time the US has released international hackers in a prisoner exchange.

The two Russian hackers are Roman Seleznev and Vladislav Klyushin. Seleznev was sentenced in 2017 to 27 years in prison for racketeering convictions. According to the US Department of Justice, he installed malware on point-of-sale systems software that allowed him to steal millions of credit card numbers from more than 500 US businesses. In September 2023, Klyushin was sentenced to nine years in prison for what US prosecutors described as a “$93 million hack-to-trade conspiracy.”

Meta, the parent company of Facebook and Instagram, will pay $1.4 billion to settle a lawsuit brought by the Texas attorney general, whose office accused the social media behemoth of illegally capturing the biometric data of millions of Texans. In 2022, the state sued Meta over its implementation of a feature that used face recognition to automatically suggest people to tag in photos and videos uploaded to Facebook. Prosecutors say the feature, initially called Tag Suggestions, violated a Texas law that makes it illegal for companies to capture and profit from someone’s biometric identifiers without their consent. While Meta did not admit to any wrongdoing as part of the agreement, according to Texas attorney general Ken Paxton’s office, it’s the single largest privacy settlement ever obtained by a state.

A widespread Microsoft Azure outage that impacted a range of services—including Microsoft 365 products such as Office and Outlook—was caused by a cyberattack, the tech company revealed on Wednesday. According to Microsoft’s Azure status history page, the incident lasted approximately eight hours on Tuesday and affected “a subset” of customers globally.

The company described the attack as a distributed denial of service, a malicious attempt by hackers to disrupt a target company’s operations by overwhelming its infrastructure with a flood of internet traffic. According to PCMag, two hacktivist groups have claimed responsibility. Microsoft plans on publishing a review of the incident.