Cl0p’s Logitech Heist, WhatsApp’s 3.5B Leak, Meta’s $190M Settlement & SSA–DHS Data Sharing
Another week of Privacy Cracks across Tech and Government. This week highlights a common thread: personal data is being exposed, weaponized, or repurposed across both private platforms and public agencies. From a claimed Cl0p exfiltration and WhatsApp enumeration to Meta’s director settlement and Social Security’s DHS data‑sharing.
Logitech Hit in Cl0p-orchestrated Data Heist After Oracle E‑Business Zero‑Days
Logitech disclosed a cybersecurity incident after a third‑party zero‑day was exploited to copy data from its internal IT systems. The company says forensic investigators are probing the scope, and that the stolen data likely included limited employee, customer, and supplier records but not sensitive IDs or payment card data (those were stored elsewhere). Logitech reports the affected vendor has patched the vulnerability, expects no material financial impact, and anticipates its cybersecurity insurance will cover response costs. A security leader at a bug‑bounty firm cautioned that even breaches with limited financial exposure can still cause major reputational damage.
The Cl0p extortion group has claimed responsibility, listing Logitech on a dark‑web leak site, alleging roughly 1.8 TB of exfiltrated files, and attempting to extort the company after leaking some data. Security researchers link Cl0p’s campaign to zero‑day exploits against Oracle E‑Business Suite (reported CVEs in 2025), and note the group has targeted other high‑profile victims in the same campaign, including an airline subsidiary, major universities, and several large media and tech firms. A senior engineer at a security firm described the operation as technically advanced, underscoring that the group has matured into a threat actor capable of finding and weaponizing flaws before defenders are aware.
Meta Directors & Sucker-berg Agree to $190M Settlement and Board Reforms
Meta’s CEO and a group of current and former directors agreed to pay $190 million to resolve a shareholder derivative lawsuit alleging they harmed the company by permitting privacy violations. The settlement, announced in Delaware court, also requires changes to board policies covering director conduct, insider trading, and whistleblower protections. Plaintiffs had originally sought about $8 billion and argued directors failed to oversee a data‑harvesting scheme tied to the Cambridge Analytica scandal; the case was cut short before a long trial and several high‑profile witnesses would have testified. The payment will come from directors’ and officers’ liability insurance, and plaintiffs’ counsel will seek up to 30% of the fund plus roughly $4.8 million in expenses.
The deal is being framed as a significant enforcement of director oversight duties and is reported as one of the largest derivative settlements in Delaware. Critics note the settlement and related rulings have fueled debate about corporate governance in the state and whether Delaware courts are becoming more plaintiff‑friendly. The matter follows broader regulatory fallout from Cambridge Analytica, which led to a record $5 billion FTC fine and raised renewed scrutiny of how social platforms manage user data and executive accountability.
WhatsApp Enumeration Exposed 3.5 Billion Phone Numbers
Researchers at the University of Vienna showed that WhatsApp’s contact‑discovery feature could be abused to harvest 3.5 billion registered phone numbers and for many of those accounts also retrieve profile photos (about 57%) and profile text (about 29%). By automating checks against WhatsApp’s browser app, the team could query roughly 100 million numbers per hour; they warned Meta in April, deleted their copy of the dataset, and by October Meta implemented stricter rate‑limiting that appears to stop the mass‑enumeration method. Meta says messages remained protected by end‑to‑end encryption and found no evidence of malicious abuse, and it thanked the researchers for reporting the issue.
The finding revives warnings first raised in 2017: even “basic” public profile data can be collated at scale to build huge personally identifiable‑information databases, which could be linked to photos or used with face recognition. Meta has argued privacy settings limit exposure, but the researchers’ country‑by‑country analysis showed many users publicly expose profile data, and critics say existing anti‑scraping defenses were insufficient until this study forced stronger measures—highlighting the ongoing need for robust rate‑limiting and anti‑scraping protections.
SSA’s Quiet SORN: Social Security Data Recast to Track Immigrants
The Social Security Administration quietly updated a system-of-record notice to confirm it is sharing “citizenship and immigration information” with DHS, formalizing a data‑pooling effort reporters say has been underway for months under a task force known as DOGE. The move ties SSA records into DHS’s SAVE system and broader efforts to build a national citizenship database; civil‑liberties groups (including CREW and EPIC) have sued, arguing the belated disclosure violates the Privacy Act and that the public had no opportunity to weigh in. DHS defends SAVE as a tool for verifying voter eligibility, while SSA did not respond to requests for comment.
Legal and technical experts warn the change carries serious risks: the new notice appears to enable special indicator codes that can effectively deactivate a Social Security number without marking someone deceased, which a former acting SSA commissioner says could “cut off anyone’s financial life.” Because SSA data wasn’t collected to determine citizenship, cross‑agency matching is error‑prone and could wrongly block people from working, voting, or accessing services; critics also argue the statute cited by the government does not authorize unrestricted sharing, raising concerns about accuracy, due process, and unchecked expansion of surveillance.
