After arresting seven alleged members of the hacking group Lapsus$ last week, London police have charged two of them with multiple computer crimes. the teenagers aged 16 and 17 remain in police custody in connection with the investigation. 

"Both teenagers have been charged with: three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data," the City of London Police said in a news release. "The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorized access to a program. They will both appear at Highbury Corner Magistrates Court this morning (April 1st)."

Lapsus$ claimed to have downloaded 37GB of Microsoft source code for key products like Bing and Cortana, along with mobile apps. They also reportedly compromised the security system of MFA company Okta, forcing the company to admit that it made a mistake in the way it handled the attack. 

One of the teens arrested was reportedly a 16-year-old Oxford resident known as "Breachbase" or "White," who has supposedly made the equivalent of $14 million in Bitcoin. London police have not released any names, however, nothing that the people charged are juveniles and that reporting any identifying information about them is prohibited. 

Apple, Facebook and Discord turned over user data to hackers posing as law enforcement officials, according to a new report in Bloomberg. The demands, which were forged to look like authentic legal requests, reportedly came from legitimate email accounts that had been “compromised.”

According to Bloomberg, both Facebook and Apple turned over “basic subscriber details, such as a customer’s address, phone number and IP address.” Discord provided “the Internet address history of Discord accounts tied to a specific phone number,” according to Krebs on Security. The hackers also targeted Snap, though it’s not clear if the company actually turned over the requested data.

As Bloomberg points out, it’s not uncommon for companies like Apple and Facebook to turn over data to law enforcement, and these companies have dedicated teams to respond to such requests. Typically, these requests are accompanied by a court order, but there are “emergency” cases when law enforcement asks for data without one, like when someone’s life is believed to be in danger.

In this case, the hackers exploited this tactic in order to access personal information about specific targets in order to “facilitate financial fraud schemes.” Using hacked emails tied to legitimate law enforcement personnel, they were able to successfully fool the companies into handing over the data.

In a statement to Bloomberg, Meta spokesperson Andy Stone said that the company has safeguards in place to verify legal requests and detect abuse. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case,” Stone said.

Apple and Snap also pointed to company guidelines, saying they have policies to verify the legitimacy of requests for user data. But these safeguards can fall short if the requests appear to be from emails associated with legitimate law enforcement agencies. As Discord told Krebson Security:

“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies. We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

Interestingly, security researchers have reportedly tied some of the people involved in this scheme to another high-profile hacking group: Lapsus$, whose members allegedly hacked Microsoft and Okta. According to Bloomberg, one person involved with forging the requests is also “believed to be the mastermind behind the cybercrime group Lapsus$.”

A former DeepMind employee has accused the company of mishandling a series of serious sexual harassment allegations. In a report published Wednesday, The Financial Times recounts the experience of a former female staff member who alleges she was sexually assaulted twice by a senior researcher at the Google subsidiary. She says her harasser also sent her multiple traumatic documents, including one where he made allusions to raping unconscious women.

DeepMind eventually dismissed the researcher, but not before it subjected his victim to a disciplinary process she argues showed major flaws in how the company handles such incidents. All told, it reportedly took DeepMind seven months to address the complaint, and only did so after the former employee filed an appeal. It then allegedly took another two months before the company finally dismissed her harasser in September 2020.

During that period, the former employee was told she would face “disciplinary” action if she talked about her complaint with colleagues. She was advised not to visit the office where her harasser worked, but her manager, not knowing the full scope of the complaint, repeatedly pushed her to attend meetings at that same building. According to The Times, DeepMind did not place any restrictions on the alleged perpetrator, a claim the company disputes. 

A spokesperson for DeepMind said the firm told the researcher not to contact the staff member in September 2019. The company also disputes a claim the researcher received an award for their work during the time they were being investigated by the company. DeepMind says the award was one meant for the team the alleged perpetrator worked for and was related to a historic research paper.

“According to your own findings, I was subjected to sexual harassment, assault and abuse… I will never be the same person. I have spent almost the entire last year fearing for my safety. There is absolutely… no reason why the investigation was so dysfunctional,” the former employee said in an August 2020 email to DeepMind’s senior leadership.

“Any incident of sexual assault or harassment is abhorrent. DeepMind takes all allegations of workplace misconduct extremely seriously and we place our employees’ safety at the core of any actions we take,” DeepMind told Engadget. “The allegations were investigated thoroughly, and the individual who was investigated for misconduct was dismissed without any severance payments.”

Following the incident, DeepMind told Engadget it implemented a series of policies to change how it investigates such matters. Among other changes, the company says it now communicates more clearly how employees should go about raising concerns, and that it has a better system in place to support workers who complain of harassment and discrimination. It also told The Times it “regrets” the former staff member was provided with “incorrect guidance around breaking confidentiality.”

A Dutch foundation has hit Apple with a lawsuit over the App Store’s developer fees, seeking €5.5 billion euro in damages for what it alleges is monopolistic behavior. In a press release, the Dutch Consumer Competition Claims Foundation stated it was filing a "collective claim" for damages, on behalf of any iPhone or iPad owners in the EU who have downloaded a paid app or made purchases within an app.

Suing Apple for its app store policies on behalf of consumers— instead of developers — might seem like an unusual move on the Dutch foundation’s part. Most of the scrutiny over the tech giant’s so-called “Apple tax” has focused on its deleterious impact on the profits of developers. Just this past January, Apple agreed to settle a class-action settlement by US developers for $100 million.

The Consumer Competition Claims Foundation alleges that Apple’s developer fees were passed on to consumers, in the form of higher prices. “App developers are forced to pass on to consumers the increased costs caused by Apple’s monopolistic practices and unfair terms,” wrote the foundation in its press release.

The foundation is asking EU consumers who purchased an app in Apple’s App Store or made an in-app purchase since September 2009 to join its complaint. The lawsuit is set to be filed in the Amsterdam District Court.

This isn’t the first time Apple is taking heat from Dutch authorities. Apple has yet to comply with a January order from Dutch regulators that requires the company to offer third-party payment options for dating app customers. The Netherlands Authority for Consumers and Markets (ACM) is fining Apple €5 million for every week it doesn’t follow through with the order. Dutch regulators have already fined Apple more than €50 million and counting. 

But according to TechCrunch, there’s a sign of a potential compromise. Apple is working on an amended proposal of its dating app policy, which will be reviewed by ACM. But even if the two parties reach a consensus, Apple will soon have much larger battles to fight in the EU. The EU is working on finalizing the Digital Markets Act, which will (among a number of other anti-competitive measures) require companies like Apple and Google to allow alternatives for in-app payments.

YouTube's copyright claim system has been repeatedly abused for bogus takedown requests, and Bungie has had enough. TorrentFreakreports the game studio has sued 10 anonymous people for allegedly leveling false Digital Millennium Copyright Act (DMCA) claims against a host of Destiny 2 creators on YouTube, and even Bungie itself. The company said the culprits took advantage of a "hole" in YouTube's DMCA security that let anyone claim to represent a rights holder, effectively letting "any person, anywhere" misuse the system to suit their own ends.

According to Bungie, the perpetrators created a Gmail account in mid-March that was intended to mimic the developer's copyright partner CSC. They then issued DMCA takedown notices while falsely claiming to represent Bungie, and even tried to fool creators with another account that insisted the first was fraudulent. YouTube didn't notice the fake credentials and slapped video producers with copyright strikes, even forcing users to remove videos if they wanted to avoid bans.

YouTube removed the strikes, suspended the Gmail accounts and otherwise let creators recover, but not before Bungie struggled with what it called a "circular loop" of support. The firm said it only broke the cycle by having its Global Finance Director email key Google personnel, and Google still "would not share" info to identify the fraudsters. Bungie hoped a DMCA subpoena and other measures would help identify the attackers and punish them, including damages that could reach $150,000 for each false takedown notice.

We've asked Google for comment. The lawsuit won't force YouTube to reform its DMCA system, but Bungie is clearly hoping this will add some pressure. As it is, the company believes the fake takedown requests did lasting damage by creating a "chilling effect" for Destiny's YouTube stars (who were afraid to post new videos) and damaging the community at large.

A judge has ordered Activision Blizzard to pay $18 million to settle a federal lawsuit accusing the company of fostering a sexist, discriminatory workplace. The US Equal Employment Opportunity Commission filed the suit in September and that same afternoon, Activision Blizzard agreed to set up an $18 million fund for employees who experienced sexual harassment and gender-based discrimination at the studio. Today's ruling approves this plan.

The fund will be distributed among people who worked at Activision Blizzard from September 1st, 2016, to today. Eligible employees and former employees have to opt-in to receive a payout, and they can submit claims relating to sexual harassment, pregnancy discrimination and retaliation.

Today's ruling isn't the end of the legal issues for Activision Blizzard, and it may even complicate efforts still underway by other agencies. California's Department of Fair Employment and Housing first sued the studio in July 2021 following a two-year investigation into allegations that sexism, gender-based harassment and a "frat boy culture" pervaded the Activision Blizzard offices. That state-level lawsuit is still in progress, while the $18 million ruling today applies only to the federal case filed by the EEOC.

Anyone who signs on as a claimant in the EEOC suit will not be eligible to participate in the state's case, at least when it comes to harassment, retaliation or pregnancy discrimination. If they have additional claims, such as pay inequities, they can bring those to the DFEH lawsuit.

The DFEH and EEOC have been battling for dominance with their lawsuits against Activision Blizzard. Lawyers for the California agency have expressed concern that a federal settlement might prevent them from pursuing additional damages at a state level. The DFEH case is scheduled to go to trial in February 2023.

"The DFEH will continue to vigorously prosecute its action against Activision in California state court,” spokesperson Fahizah Alim said last week.

Additionally, the DFEH, activists and Activision Blizzard employees have argued the $18 million figure is far too low to properly compensate all potential claimants, which could add up to hundreds of people. Communications Workers of America, the labor union backing Activision Blizzard employees during this time, called the sum "woefully inadequate" in a letter to the EEOC in October.

"This would provide the maximum settlement for only 60 workers," the CWA letter reads. "If any significant number of workers received the maximum under federal law, there would be little available for many other workers adversely affected. We are concerned about how the EEOC got to that number and how it believes that number will be fairly distributed. Please explain."

California's DFEH fought against a similar ruling in the case of Riot Games. Following a 2018 class-action lawsuit claiming rampant sexual harassment and discrimination at the studio, Riot was originally ordered to pay $10 million to claimants. The DFEH blocked that payout, arguing it was much too small, and the amount was eventually increased to $100 million.

A spokesperson for the EEOC provided the following statement to Engadget following today's federal ruling: "We are pleased that the judge has indicated her intent to sign the consent decree. The consent decree not only provides monetary relief to potential claimants that were impacted by sexual harassment, pregnancy discrimination and related retaliation at Activision Blizzard throughout the United States, but also puts in place significant injunctive relief at Activision Blizzard to prevent and address discrimination, harassment, and retaliation."

Apple has closed a loophole that had allowed some Russians to continue using its mobile payments service despite the ongoing economic sanctions against Russia. According to Reuters, the company told the country's largest lender on Thursday it would no longer support Russia's homegrown Mir payments system through Apple Pay.

"Apple has informed NSPK it is suspending support for Mir cards in the Apple Pay payment service," the National Card Payment System said Friday. "Starting from March 24th, users cannot add new Mir cards to the service. Apple will stop all operations of previously added cards over the next few days."

Google took similar action last week as well. According to a separate report from The Wall Street Journal, the company paused a pilot that had allowed Russians to connect their Mir cards to Google Pay. "Google Pay is pausing payments-related services in Russia as a result of payment services disruption out of our control," a Google spokesperson told the outlet.

As The Verge notes, the Central Bank of Russia established Mir after the US and other countries imposed sanctions on Russia in response to its annexation of Crimea in 2014. According to statistics shared by the Central Bank, Mir cards are involved in more than 25 percent of all card transactions within the country. Previously, cards from major Russian financial institutions like VTB Group and Sovcombank stopped working with Apple Pay and Google Pay shortly after the Kremlin launched its invasion of Ukraine on February 24th.

The European Union has reached an agreement to adopt the Digital Markets Act (DMA), a sweeping antitrust law meant to rein in Apple, Google, Meta and other tech giants. Lawmakers reached a “provisional” agreement on the law Thursday, following hours of negotiations, the European Parliament wrote in a statement.

The law could have far-reaching implications, some of which could extend beyond Europe. Most notably, one of the primary provisions of the DMA is that messaging providers would need to make their services interoperable with other services, “EU lawmakers agreed that the largest messaging services (such as Whatsapp, Facebook Messenger or iMessage) will have to open up and interoperate with smaller messaging platforms, if they so request,” the EU Parliament said following the agreement.

It’s unclear for now if this requirement would also apply to interoperability between the large messaging platforms themselves. Parliament wrote that the interoperability provisions for social networks “will be assessed in the future.”

In a statement, an Apple spokesperson said the company was "concerned" about some aspects of the law. "We remain concerned that some provisions of the DMA will create unnecessary privacy and security vulnerabilities for our users while others will prohibit us from charging for intellectual property in which we invest a great deal," the spokesperson said. "We believe deeply in competition and in creating thriving competitive markets around the world, and we will continue to work with stakeholders throughout Europe in the hopes of mitigating these vulnerabilities.”

Meta didn't immediately respond to a request for comment.

The DMA also prohibits companies from “combining personal data for targeted advertising” without explicit consent, a move that could limit Meta and others’ ability to serve targeted ads to users. As The New York Times points out, there are still many questions about how European lawmakers will enforce these new rules and the companies in question are likely to raise legal challenges.

Earlier proposals of the law also included provisions that would change how Apple and Google ran their app stores. Under the proposed rules, Apple would have to allow users to install apps from other stores, and both Apple and Google would be required to allow developers to bypass their companies; storefronts and use their own billing. It’s unclear if those provisions were included in the latest agreement. The European Parliament will hold a press conference Friday, when they are expected to share more details.

Two former TikTok moderators filed a federal lawsuit seeking class-action status today against the platform and parent company Bytedance, reportedNPR. The plaintiffs, Ashley Velez and Reece Young, worked for the social video platform last year as contractors. To fulfill their role as moderators, they witnessed “many acts of extreme and graphic violence”, including murder, bestiality, necrophilia and other disturbing images. The lawsuit accuses TikTok of negligence and violating labor laws in California, the state where the platform's US operations is based.

Both plaintiffs said they were tasked with viewing hours of disturbing footage, often working 12-hour days. They both paid for counseling out-of-pocket in order to deal with the psychological toll of the job. The lawsuit accuses TikTok of imposing high “productivity standards” on moderators, which forced them to watch large volumes of disturbing content without a break. Both employees were also forced to sign non-disclosure agreements as a condition of their employment.

"We would see death and graphic, graphic pornography. I would see nude underage children every day," Velez told NPR. "I would see people get shot in the face, and another video of a kid getting beaten made me cry for two hours straight."

Moderators at Facebook and other platforms have spoken out in the past about the severe psychological toll of their jobs. Employees have alleged they're given a short period of time, usually only seconds, to determine whether a video violates the platform’s policies. The job has often been called “the worst job in technology," and workers regularly suffer from depression, PTSD-like symptoms and suicidal ideation. In a 2020 settlement,Facebook paid over $52 million to a group of former moderators who said they developed PTSD from the job.

This is not the first lawsuit of this type for TikTok, which currently has a base of 10,000 content moderators worldwide. Last December another content moderator for TikTok also sued the platform for negligence and violating workplace safety standards. According to NPR, the lawsuit was dropped last month after the plaintiff was fired.

Activision has been served another lawsuit over harassment at the company. As Bloomberg Law and Game Developer report, an anonymous woman still working at Activision Blizzard has sued the game developer in a Los Angeles court for allegedly enabling sexual harassment and discrimination. The company also retaliated against her when she shared her experiences at a December 2021 press conference, according to the complaint.

As with past suits, the woman accused Activision Blizzard of routinely allowing misconduct. The senior administrative assistant in IT was reportedly pressured to join in "cube crawls" where women were harassed and groped, and was told to tolerate unwanted sexual advances and excessive drinking. She was also asked to keep her complaints private, according to the suit, and supposedly faced an increasingly hostile workplace the more she spoke out.

The plaintiff said she applied for positions elsewhere in the company to avoid sexism in IT, and wrote to president Allen Brack (who stepped down in August 2021 as the scandal grew) about the problems. She was offered and took a lower-paying role elsewhere in the company, but noted that her application for an executive assistant job was rejected in December that year, shortly after she'd applied in November.

In the lawsuit, the woman demands damages that include lost earnings and medical expenses. She also asks for functional reforms, including the ouster of CEO Bobby Kotick, a rotating human resources team (to prevent conflicts of interest) and the use of a neutral firm to investigate incidents.

We've asked Activision Blizzard for comment. The company has used some measures to address harassment and discrimination complaints, including removing employees, taking disciplinary actions and forming a committee to implement anti-harassment initiatives. It also settled an Equal Employment Opportunity Commission lawsuit and has been more cooperative with investigations. However, it's still facing a mounting number of legal challenges that include both more lawsuits and an SEC investigation — the debacle is far from over.