User Privacy

Between April 18-20, 2026, Vercel suffered a data breach originating from a compromise of Context.ai, a third-party AI productivity tool. A Context.ai employee downloaded malware (Lumma Stealer), leading to credential theft and OAuth token compromise that gave attackers access to Vercel internal systems. Approximately 580 employee records, API keys, database credentials, source code, internal dashboards, and limited customer credentials were compromised. An attacker claiming to be 'ShinyHunters' demanded $2 million ransom. CEO Guillermo Rauch said the attack was 'significantly accelerated by AI.'

In March 2026, T-Mobile confirmed a data breach affecting 47.8 million people including current, former, and prospective customers. Approximately 7.8 million current postpaid customer records were stolen, ~40 million former/prospective customer records, and 850,000 active prepaid customers had phone numbers and account PINs exposed. Exposed data included names, dates of birth, Social Security numbers, and driver's license/ID information. T-Mobile discovered the breach through an online forum post and shut down the leak.

A $135 million Google settlement received preliminary court approval on March 5, 2026, resolving class action allegations that Google unlawfully surveilled and collected private information from cellular data purchased by Android users. The settlement covers over 100 million Americans, with payouts of up to $100 per person. As part of the settlement, Google will be required to obtain users' affirmative consent before using cellular data.

On February 19, 2026, West Virginia AG JB McCuskey filed a consumer protection lawsuit alleging Apple allowed child sexual abuse materials (CSAM) to be stored and distributed on iCloud services. The lawsuit claims Apple 'prioritized user privacy over child safety for years' - Apple filed only 267 CSAM reports to the National Center for Missing and Exploited Children in 2023, compared to Google's 1.47 million reports. The state seeks statutory and punitive damages plus injunctive relief requiring Apple to implement effective CSAM detection.

A bug (CW1226324) allowed Microsoft Copilot Chat to read and summarize customers' confidential emails without permission for approximately four weeks (January 21 to mid-February 2026). Emails marked with confidentiality labels and protected by DLP policies were incorrectly processed across Word, Excel, and PowerPoint. Affected organizations included the UK's National Health Service. Microsoft did not disclose the number of affected customers or what data was accessed. This was the second trust boundary violation in eight months, following CVE-2025-32711 'EchoLeak' in June 2025 (CVSS 9.3).

On February 11, 2026, California AG Rob Bonta announced the largest CCPA settlement to date with Disney. The company's opt-out webform only stopped sharing through Disney's own ad platform while continuing to sell data to third-party ad-tech companies. Disney failed to provide in-app opt-out in streaming apps, ignored device-specific Global Privacy Control signals for logged-in users, and required bundle subscribers to opt out up to 10 separate times to fully stop data sharing.

On February 10, 2026, PayPal disclosed a data breach affecting approximately 100 PayPal Working Capital loan applicants due to a software coding error. Personal data including Social Security numbers, dates of birth, and business contact information was exposed from July 1 to December 13, 2025. Some customers experienced unauthorized transactions and received refunds. PayPal offered 2 years of free credit monitoring through Equifax.

In February 2026, Anthropic aired anti-OpenAI advertisements during the Super Bowl, criticizing OpenAI's announced plans to add 'Instagram-style' advertising to ChatGPT. The ads resulted in an 11% boost in Anthropic users. Sam Altman called the ads 'deceptive.' The rivalry escalated at the India AI Summit where Altman and Dario Amodei refused to hold hands during a group photo with PM Modi.

Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509, with a CVSS score of 7.8 out of 10.0. The vulnerability allows attackers to bypass document security checks and is being actively exploited in the wild via malicious files. The emergency patch was released outside Microsoft's normal Patch Tuesday schedule due to active exploitation.

Cisco released a patch for a critical vulnerability affecting its Unified Communications and WebEx products that allowed remote code execution. The vulnerability was actively exploited in the wild before the patch was released, representing a significant security risk to enterprise communications infrastructure.

Researchers demonstrated that Google's Gemini AI model could be tricked using prompt-injection attacks to leak private details about a user's calendar. The vulnerability allows malicious actors to extract sensitive personal information through carefully crafted prompts, highlighting security risks in AI systems with access to private user data.

Google agreed to pay $68 million to settle class action claims that Google Assistant-enabled devices (Google Home, Nest Hub, Pixel phones) surreptitiously recorded users' private conversations without consent. The recordings occurred due to 'false accepts' — the device mistakenly activating and recording when no wake word was spoken. Final approval hearing is scheduled for March 19, 2026.

A January 2026 Citizen Lab report found Cellebrite equipment was used in at least seven cases to extract data from phones seized from activists and a journalist detained during pro-Palestinian protests in Jordan between late 2023 and mid-2025. None of the individuals consented to the searches. All four devices forensically analyzed showed Cellebrite product use in 2024-2025.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

Nike disclosed it is investigating unauthorized access that resulted in the extraction of approximately 1.4 terabytes of internal data. The incident involves a large volume of files taken from internal systems, which signals sustained access rather than a short-lived intrusion. The breach represents a significant compromise of Nike's internal systems and data.

Google settled allegations that apps in its 'Designed for Families' programme, meant to help parents find safe apps for children, were actually tracking children's data. The programme was supposed to certify apps as safe for kids, but the tracked apps violated children's privacy protections.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.

In January 2026, reporting revealed that ICE was using a Palantir-built tool called ELITE that taps Medicaid data to identify and arrest people for deportation. The tool maps potential targets and provides 'confidence scores' for individuals' current addresses. A data-sharing agreement between ICE and the Centers for Medicare and Medicaid Services gave ICE access to personal data of nearly 80 million Medicaid patients. The Electronic Frontier Foundation challenged the use of healthcare data for immigration enforcement, arguing patients never consented to their health-related information being repurposed for deportation.

Since 2020, Coinbase has published annual transparency reports detailing government and law enforcement requests for customer information. The 2025 report (covering October 2024-September 2025) disclosed 12,716 requests, a 19% increase year-over-year, with approximately 53% from outside the United States. The reports provide customers with data about requests received and offer insight into global law enforcement and regulatory trends around the world.

The US Federal Communications Commission designated DJI as a national security threat and banned its communications equipment from use in the United States in December 2025.