Spill, with the IT Privacy and Security Weekly Update for the week ending Feb 17th., 2026
EP 279.
This week's update spills on a global scale. We start with...
A single misconfigured database just turned 8.7 billion Chinese records into a global reminder that at planetary scale, data protection failures stop being “incidents” and start looking like infrastructure risks.
A new class action against Lenovo puts a spotlight on how invisible trackers and cross-border data flows can turn an ordinary website visit into a quiet export of American browsing habits to China.
When Louis Vuitton, Dior, and Tiffany rack up multimillion-dollar privacy fines in South Korea, it sends a clear message: even the most glamorous brands pay dearly when customer data is treated carelessly.
The Instagram dataset circulating on underground forums shows how a trove of “just usernames and contact details” can still supercharge scams, phishing, and harassment at massive scale.
Dozens of AI-branded Chrome extensions masquerading as helpful assistants reveal how attackers now weaponize the GenAI buzz to sneak data exfiltration straight into your browser.
Apple’s fix for a ten-year-old iOS and macOS zero-day pulls back the curtain on a long-running hole likely exploited by commercial spyware against some of the world’s most high-value targets.
Metas planned facial recognition for Ray-Ban smart glasses pushes the privacy debate from your screen to the street, raising uncomfortable questions about who gets to be identified, by whom, and when.
The rush to embed AI into every digital interaction is quietly reshaping advertising, turning your casual chats and searches into some of the richest targeting data the tech giants have ever seen.
Grab a towel and let's check the spill.
CN: 8.7 billion records spilled: Inside the massive Chinese data leak
Early in 2026, cybersecurity researchers discovered an unsecured database containing an astonishing 8.7 billion Chinese personal and corporate records.
The huge Elasticsearch cluster included everything from national ID numbers and addresses to account names, passwords, and social media identifiers.
The database had no security protections and stayed accessible on the public internet for more than three weeks.
During that time, automated tools or bad actors could have easily copied or scraped its contents.
The scale of exposed information placed this among the largest single data exposures ever detected, and its size suggests it was aggregated intentionally rather than being a single service's customer list.
Researchers noted the lack of an identifiable owner or operator for the cluster, and no public claim has been made acknowledging responsibility for securing or creating the dataset.
So what's the upshot for you?
It's not only in your country that data breaches are happening.
It's a global phenomenon.
US: US Lawyers Fire Up Privacy Class Action Accusing Lenovo of Bulk Data Transfers To China
A new privacy class action lawsuit Christy v. Lenovo (United States) Inc. was filed in early February 2026 in the U.S. District Court for the Northern District of California by plaintiff Spencer Christy.
The complaint alleges Lenovo's website uses a wide range of first- and third-party trackers, including those from TikTok, Facebook, Google, and Microsoft, to collect user data and send it to its parent company in China.
According to the suit, these tracking tools allegedly collect IP addresses, device metadata, full URLs, referring pages, and persistent identifiers such as cookies, mobile advertising IDs, IMEIs, MAC and SIM numbers.
The complaint asserts this pattern of data collection and transfer violates privacy expectations under U.S. law.
Lawyers for Christy allege the practice captures data from more than 100,000 U.S. persons, potentially affecting millions of visitors.
They argue the bulk transfer of such information to China could enable profiling or targeting of individuals in sensitive roles, including journalists, military personnel, politicians, and dissidents.
The lawsuit claims violations of the Electronic Communications Privacy Act and the Department of Justice's Bulk Data Transfer Rule, a regulation designed to prevent countries of concern from accessing sensitive U.S. personal data.
The complaint seeks class action status, damages, restitution, and legal remedies.
So what's the upshot for you?
Lenovo responded by calling the allegations false, asserting it complies with global data protection laws and maintains transparent, lawful data practices, but they have been here before.
In 2018, Lenovo settled for $7.3 million and entered a consent decree with the FTC and 32 states, regarding preinstalled Superfish spyware that intercepted user data and injected advertisements.
KR: Luxury brands fined billions for massive data leaks
South Korea's privacy watchdog has fined the Korean units of Louis Vuitton, Christian Dior, and Tiffany a combined 36 billion won (about $25 million) over serious customer data breaches.
The sanctions were imposed under the nation's Personal Information Protection Act after regulators found major security failures in how these luxury brands managed personal information.
Louis Vuitton Korea was hit with the biggest fine, about 21.4 billion won, after hackers accessed an employee device and exposed the data of roughly 3.6 million customers.
At Christian Dior Couture Korea, a voice phishing attack on a staff member allowed access to personal data for about 1.95 million users.
Investigators also found delayed breach detection and notification.
This led to a fine of around 12.23 billion won.
Tiffany Korea faced a similar phishing-driven breach affecting around 4,600 customers and was fined 2.4 billion won for weak access controls and late reporting.
So what's the upshot for you?
Regulators emphasized that reliance on software services does not reduce responsibility for protecting customer data, and these penalties clearly show that data protection lapses carry substantial financial consequences in global markets.
Global: A massive breach exposed data of 17.5M Instagram users
A dataset tied to approximately 17.5 million Instagram users has been circulating on underground forums, sparking global concern about privacy and security.
Cybersecurity researchers say the information includes usernames, contact details, and partial addresses, with some claiming it is being traded or shared online.
At the same time, many users worldwide received unsolicited password reset emails, fueling fears of a widespread breach.
The volume and timing of those messages alarmed account holders and raised speculation about compromised systems.
Instagram's owner, Meta, responded by saying there was no breach of its systems.
The company attributed the reset emails to an external issue that has since been fixed and said accounts remain secure.
Security experts note that even without exposed passwords, leaked usernames and contact details can enhance phishing, spoofing, and scam attempts.
So what's the upshot for you?
The presence of this dataset on the dark web suggests persistent privacy challenges for social platforms, but more importantly.. for you.
Global: Malicious GenAI Chrome Extensions: Unpacking Data Exfiltration and Malicious Behaviours
A new cybersecurity study reveals a growing threat linked to AI-themed browser extensions.
Researchers analyzed more than 5,500 Chrome extensions marketed as AI or generative tools.
They found 341 extensions flagged as malicious, with 29 specifically exploiting the AI trend to harvest data or redirect users' web traffic without consent.
The investigation combined code inspection, network behavior monitoring, and domain reputation checks.
The team focused on real-world threats that mimic legitimate GenAI services to evade detection.
Examples include extensions posing as assistants or search tools that instead execute hidden, harmful actions.
Threat actors are leveraging the popularity of generative AI to lure users into installing compromised tools.
A subset of these extensions abuses browser APIs to conduct adversary-in-the-browser attacks, manipulate queries, and siphon sensitive data back to controlled servers.
So what's the upshot for you?
This work shows how quickly cyber threats adapt to emerging tech trends.
The malicious cases documented included impersonation, bait-and-switch updates, and query hijacking techniques that exploit user trust in AI branding.
Global: Apple Patches Decade-Old IOS Zero-Day, Possibly Exploited By Commercial Spyware
This week, Apple patched iOS and macOS against what it called an extremely sophisticated attack against specific targeted individuals.
Security Week reports that the bugs could be exploited for information exposure, denial-of-service (DoS), arbitrary file write, privilege escalation, network traffic interception, sandbox escape, and code execution.
Tracked as CVE-2026-20700, the zero-day flaw is described as a memory corruption issue that could be exploited for arbitrary code execution...
The tech giant also noted that the flaws' exploitation is linked to attacks involving CVE-2025-14174 and CVE-2025-43529, two zero-days patched in WebKit in December 2025...
The three zero-day bugs were identified by Apple's security team and Google's Threat Analysis Group, and their descriptions suggest that they might have been exploited by commercial spyware vendors...
Additional information is available on Apple's security updates page.
Brian Milbier, deputy CISO at Huntress, tells The Register that the dyld/WebKit patch closes a door that has been unlocked for over a decade.
So what's the upshot for you?
Of interest is the fact that certain companies made millions off the fact that these zero-day exploits weren't discovered for the last 10 years.
They may have been used to plant spyware that compromised politicians, journalists, and literally anyone an authoritarian government felt was criticizing it.
Global: Meta Plans To Let Smart Glasses Identify People Through AI-Powered Facial Recognition
Meta plans to add facial recognition technology to its Ray-Ban smart glasses as soon as this year, the New York Times reported Friday, five years after the social giant shut down facial recognition on Facebook and promised to find the right balance for the controversial technology.
The feature, internally called Name Tag, would let wearers identify people and retrieve information about them through Meta's AI assistant, the report added.
An internal memo from May acknowledged that the feature carries safety and privacy risks and noted that political tumult in the United States would distract civil society groups that might otherwise criticize the launch.
The company is exploring restrictions that would prevent the glasses from functioning as a universal facial recognition tool, potentially limiting identification to people connected on Meta platforms or those with public accounts.
So what's the upshot for you?
The big issue here is protecting children.
Metas AI doesn't know it's filming children until it films them, and the AI identifies them as under 18, but by then, they've already broken the law.
Time to get the COVID masks out again?
Global: Will Tech Giants Just Use AI Interactions to Create More Effective Ads?
Google never asked its users before adding AI Overviews to its search results and AI-generated email summaries to Gmail, notes the New York Times.
And Meta didn't ask before making Meta AI an unremovable part of its tools in Instagram, WhatsApp, and Messenger.
The insistence on AI everywhere, with little or no option to turn it off, raises an important question about what's in it for the internet companies...
Behind the scenes, the companies are laying the groundwork for a digital advertising economy that could drive the future of the internet.
The underlying technology that enables chatbots to write essays and generate pictures for consumers is being used by advertisers to find people to target and automatically tailor ads and discounts to them....
Last month, OpenAI said it would begin showing ads in the free version of ChatGPT based on what people were asking the chatbot and what they had looked for in the past.
In response, a Google executive mocked OpenAI, adding that Google had no plans to show ads inside its Gemini chatbot.
What he didn't mention, however, was that Google, whose profits are largely derived from online ads, shows advertising on Google.com based on user interactions with the AI chatbot built into its search engine.
For the past six years, as regulators have cracked down on data privacy, the tech giants and online ad industry have moved away from tracking people's activities across mobile apps and websites to determine what ads to show them.
Companies, including Meta and Google, had to come up with methods to target people with relevant ads without sharing users' personal data with third-party marketers.
When ChatGPT and other AI chatbots emerged about four years ago, the companies saw an opportunity: The conversational interface of a chatty companion encouraged users to voluntarily share data about themselves, such as their hobbies, health conditions, and products they were shopping for.
The strategy already appears to be working.
Web search queries are up industrywide, including for Google and Bing, which have been incorporating AI chatbots into their search tools.
That's in large part because people prod chatbot-powered search engines with more questions and follow-up requests, revealing their intentions and interests much more explicitly than when they typed a few keywords for a traditional internet search.
So what's the upshot for you?
There's no getting away from it.
AI is going to stay in your face.
It's great while it is a novelty or even a useful tool, but add in some revenue generation, sprinkle in some new biases, and you've got something as useless as Google search became (think back a couple of years).
So to wrap up, or better, wipe up, this week's spill contained
An exposed Chinese database left 8.7 billion personal and corporate records open to anyone for weeks, likely enabling massive copying or aggregation by unknown parties. It underlines how a single misconfigured system can become a global risk event, not just a local breach.
Lenovo is facing a U.S. class action alleging its website quietly used trackers to funnel detailed visitor data to China in violation of privacy expectations and federal rules. The case tests how far regulators and courts will go to rein in opaque data sharing hidden inside everyday web sessions.
South Korea hammered Louis Vuitton, Dior, and Tiffany with roughly $25 million in fines after breaches tied to phishing and weak controls exposed millions of customer records. The penalties show that regulators increasingly expect even prestige brands to treat security as a core obligation, not an afterthought.
A dataset linked to about 17.5 million Instagram users is circulating on underground forums, even as Meta insists its own systems were not breached. The incident highlights how “just” contact details and usernames can still fuel phishing, impersonation, and social scams at scale.
Researchers found hundreds of AI-themed Chrome extensions behaving maliciously, with some abusing their permissions to siphon data and hijack browsing traffic. It’s a reminder that installing “smart” helpers in your browser can quietly hand attackers the keys to everything you do online.
Apple closed a memory-corruption flaw that appears to have been exploitable for over a decade and may have powered commercial spyware campaigns against highly targeted users. The long-lived bug shows how lucrative and enduring zero-days can be when they hide in widely deployed platforms.
Meta’s planned Name Tag feature would let Ray-Ban smart glasses identify people via facial recognition, with internal documents acknowledging serious safety and privacy risks. The proposal raises hard questions about consent, bystander surveillance, and how easily children and other vulnerable groups could be swept into always-on recognition systems.
Tech giants are weaving AI into search, messaging, and assistants in ways that encourage users to reveal more about their lives, preferences, and intentions. Those intimate interactions are fast becoming premium fuel for hyper-targeted advertising, even when users never explicitly agreed to be part of that bargain.
And our quote of the week, from William Shakespeare’s Hamlet, spoken by Queen Gertrude in Act 4, Scene 5 - “So full of artless jealousy is guilt, It spills itself in fearing to be spilt.”
That’s it for this week. Stay safe, stay secure, pour with a steady hand, and we’ll see you in seven.
Comments
Post a Comment