EU's Age-Verification App Cracked in Under 2 Minutes — A Week of Major Security Failures

Europe's Age-Verification App Exposed as a Security Disaster

The European Commission rolled out its much-anticipated free, open-source age-verification app this week — designed to confirm the ages of users accessing social networks and adult content websites. At Wednesday's press conference, European Commission President Ursula von der Leyen boldly declared that platforms now had "no more excuses" for failing to verify user ages. That confidence, however, was short-lived.

Within hours, security professionals had torn the app apart. Security consultant Paul Moore announced on X that he had uncovered multiple critical vulnerabilities — and exploited them in under two minutes. Among the most glaring flaws: the app reportedly stores a user-created PIN in a way that would allow an attacker to hijack someone's profile with minimal effort. Whitehat hacker Baptiste Robert independently verified the vulnerability. Tagging von der Leyen directly, Moore issued a stark warning: "This product will be the catalyst for an enormous breach at some point. It's just a matter of time."

Major Data Breaches Hit Gyms and Hotels

Basic-Fit Confirms Breach Affecting Roughly One Million Members

Europe's largest gym chain, Basic-Fit, confirmed a significant data breach on Monday. Approximately one million customers had their bank details compromised, with around 200,000 members in the Netherlands alone directly affected. The stolen data reportedly includes banking information, full names, home and email addresses, phone numbers, and dates of birth. Members across Belgium, France, Germany, Luxembourg, and Spain were also impacted through a shared system used to track club visits. Basic-Fit stated that no passwords were exposed, noting the company does not store them.

Booking.com Acknowledges Suspicious Activity

Also on Monday, global travel reservation platform Booking.com confirmed that hackers may have accessed sensitive customer data, including names, email addresses, phone numbers, and booking details. The company told TechCrunch it "noticed some suspicious activity" and moved quickly to contain the situation. Posts from apparent customers on Reddit suggest the breach may have touched on everything users had shared with their accommodations. Booking.com declined to elaborate on the full scope of the breach but assured The Guardian that no financial information was compromised.

Bluesky Hit by Sophisticated DDoS Attack

Social media platform Bluesky experienced widespread disruptions on Thursday following a confirmed distributed denial-of-service (DDoS) attack. Chief Operations Officer Rose Wang stated the attack began around 8:40 PM ET on April 15 and triggered intermittent failures across feeds, notifications, and search functionality. The company confirmed no unauthorized access to user data occurred.

Interestingly, communities operating on the underlying AT Protocol — such as Blacksky — were unaffected. Blacksky reported a notable surge in migration requests over the following 12 hours as users explored alternatives. By Friday afternoon, the platform was reported as fully operational.

Deepfake Nudification Plaguing Schools Worldwide

A joint investigation by WIRED and Indicator has shed new light on the alarming global spread of AI-generated deepfake nude images targeting school-aged girls. By tracking publicly reported incidents involving so-called "nudify" technology, researchers identified more than 600 victims across 28 countries — all of them middle- and high-school-aged. The findings underscore the urgent need for stronger legal frameworks and platform accountability around nonconsensual AI-generated imagery.

Telegram Continues Hosting Sanctioned Criminal Marketplace

Despite the UK government sanctioning Xinbi Guarantee — a black-market platform linked to human trafficking and operating within Telegram — the messaging app reportedly continued to host the marketplace. Crypto-tracing firm Elliptic revealed that Xinbi processed an additional $505 million in transactions in the 19 days following the UK's sanctions designation. The platform had previously been identified as the largest online marketplace of its kind ever sanctioned.

AI Enters the Cybersecurity Arms Race

The artificial intelligence industry took a significant step into cybersecurity this week. Following Anthropic's disclosure of its new model, Mythos, which researchers flagged as a potential threat to existing security infrastructure, OpenAI announced its own cybersecurity initiative — introducing a dedicated strategy alongside a new model, GPT-5.4-Cyber. The moves signal a growing convergence between cutting-edge AI development and the increasingly complex cybersecurity landscape.

ICE Hired Agents Before Background Checks Were Completed

A Department of Homeland Security press release from January revealed that ICE brought on more than 12,000 officers and agents in under a year as part of an aggressive hiring expansion. However, an independent investigation by the Associated Press uncovered troubling gaps in the vetting process. Of 40 ICE agents reviewed, three had faced lawsuits tied to alleged misconduct in prior law enforcement roles, and several carried histories of unpaid debt. DHS acknowledged to the AP that some applicants had received conditional job offers and were permitted to begin work before their full background checks were finalized.

Russian Crypto Exchange Grinex Blames Foreign Intelligence After $13 Million Hack

Russian cryptocurrency exchange Grinex — widely reported to have assisted in circumventing international sanctions — announced Thursday it was suspending operations after a cyberattack resulted in the theft of over one billion rubles, equivalent to more than $13 million. In public statements, Grinex attributed the breach to the "special services" of an unnamed foreign nation, claiming the attack demonstrated resources and capabilities exclusive to hostile state actors. However, the company provided no concrete evidence to support these claims. Grinex had operated as the successor to Garantex, another sanctioned Russian exchange. According to Elliptic, both platforms share the same ownership and customer base — raising serious questions about the exchange's broader role in Russia's financial ecosystem.