Matt Burgess Dell Cameron Andrew Couts Security May 23, 2026 6:30 AM Security News This Week: The FBI Wants ‘Near Real-Time’ Access to US License Plate Readers Plus: Google publishes a live exploit for an unpatched flaw, the feds arrest two men accused of creating thousands of nonconsensual deepfake nudes, and more. Save this story Save this story A WIRED investigation this week found that a former Phoenix police officer who owns a company that offers firearms training to Immigration and Customs enforcement was involved in six shootings, four of which were deadly . Meanwhile, a New York police officer’s lawyer has been banned from Madison Square Garden amid a lawsuit the cop filed over injuries sustained during a boxing match at an MSG venue. The Take It Down Act went into effect in the United States this week, allowing people to demand that websites and other platforms remove their nonconsensual nudes. WIRED reached out to more than a dozen companies to give you a rundown on how to take action . If you’re trying to opt out of having your data collected by data brokers and other companies, however, the process might not be so simple. New research claims that many major companies used manipulative tactics to keep people from opting out. The Federal Trade Commission this week announced a settlement with three marketing firms—not because they sold “Active Listening” technology for serving targeted advertising, but because the technology allegedly did not work . A bipartisan pair of US lawmakers this week took an initial stab at cracking down on automatic license plate readers , or ALPRs. Their legislation would have effectively prevented state and local governments from using the surveillance tech for police tracking. GitHub, the popular Microsoft-owned code repository, suffered a data breach this week. The attack is part of a never-before-seen string of similar breaches carried out by the cybercrime group TeamPCP. Finally, as the Trump administration and US tech companies have grown increasingly intertwined, European nations are looking for US-free alternatives , with France leading the charge. And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. The FBI Wants ‘Near Real-Time’ Access to License Plate Readers Across the US While US lawmakers stealthily proposed to prohibit the use of automated license plate readers across the country this week, it has also been revealed that the Federal Bureau of Investigation is planning to buy nationwide access to the cameras and access “near real time” data about vehicle movements. First reported by 404 Media , recently published procurement records for the FBI Directorate of Intelligence show the agency gearing up to pay millions for access to data captured by roadside ALPR data. These cameras take images of every passing vehicle, adding their license plate, location, time and data, into searchable databases that are often accessed by local law enforcement agencies and some federal agencies. “The FBI has a crucial need for accessible LPRs to provide a diverse and reliable range of collections across the United States,” a statement of work says. “This data should be available across major highways and in an array of locations for maximum usefulness to law enforcement.” Further documents said the access to data must be provided in “near real time.” Google Publishes Live Exploit Code for Unpatched Chromium Flaw Google this week made public a working proof-of-concept for an unfixed vulnerability in Chromium, the open source codebase underpinning Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc, reported Ars Technica. The flaw was originally reported to the company 42 months ago by independent researcher Lyra Rebane, who initially assumed Wednesday's posting to the project's bug tracker meant a patch had finally shipped. It hadn't. Google pulled the disclosure after the error became apparent, but the exploit code is already mirrored on archival sites. The bug abuses the Browser Fetch API, a feature meant to handle large background downloads, allowing any website a target visits to spin up a persistent service worker on the device. The resulting connection can be used to monitor browsing activity, route traffic through the victim's machine, or pull the device into a proxied DDoS network—connections that survive browser restarts and, in some cases, reboots. On Edge, telltale signs are minimal. Chrome users may see an unexplained downloads dropdown. Google's own engineers flagged the bug as serious in the original disclosure thread, assigning it a multiple high-severity tiers in the company's internal ranking system. Firefox and Safari are unaffected, as neither implements the relevant feature. Google said it is working on a fix. Users seeing unprompted download windows should treat them as suspect. Feds Arrest Men Allegedly Behind Deepfake Sexual Abuse Watched Millions of Times Ever so slowly, a crackdown on people creating deepfake sexual abuse images may be starting. In recent months, the UK and the EU have announced plans to ban so-called nudifying websites that create fake nude images of women and girls using artificial intelligence. With the increasing enforcement of the Take It Down Act since May 19, similar pressure is being applied in the US. This week, the Federal Trade Commission sent a letter to 12 companies offering nudifying services, warning them they may be in violation of the Act saying they should have a process “through which victims can request the removal of nonconsensual intimate images.” While not limiting the services’ content, the move increases scrutiny on the harmful sites. The Department of Justice also arrested two men for allegedly sharing “thousands” of AI-created photos and videos showing real women nude or involved in sex acts. The men, Cornelius Shannon, 51, and Arturo Hernandez, 20, are alleged to have uploaded the AI creations to pornography websites and video sharing platforms. The images and videos, which prosecutors say were viewed millions of times, included celebrities and politicians, but also women known to the accused. The arrests follow the first conviction of an Ohio man last month under the Take It Down Act. Florida Prosecutor Indicted Over Alleged Theft of Jack Smith Report A former managing assistant US attorney in Fort Pierce has been charged with stealing a copy of the sealed report Jack Smith produced on his investigation into Donald Trump's handling of classified documents after Trump's first term, according to the Washington Post. Carmen Mercedes Lineberger, 62, allegedly forwarded the document to a personal email account in January 2025, relabeling the attachment “Bundt_Cake_Recipe.pdf”—a step prosecutors describe as an effort to dodge detection. She pleaded not guilty Wednesday to four felony charges, including theft of government property. Her lawyer has not responded to requests for comment, and the indictment is silent on what she intended to do with the file. Smith finished the summary in the closing days of the Biden administration. Unlike the companion volume covering his January 6 investigation, this one was never released publicly. Judge Aileen M. Cannon—who had earlier tossed the 40-count classified-documents indictment against Trump on the grounds that Smith's appointment was unlawful—initially sealed the report temporarily to protect those named but uncharged, then made the seal permanent after Trump's legal team and a Justice Department staffed by several of his former defense attorneys pressed for it. Comments Back to top You Might Also Like How to find us: Add WIRED.com to your preferred sources in Google How the Canvas hack threatened thousands of schools Big Story: I've covered robots for years— this one is eerily lifelike Orbs, saucers, and flashes on the moon—here’s what’s in the UFO files Take our survey: What does “home” mean to you? Written by WIRED Staff Topics security security roundup cybersecurity hacks hacking Google malware politics Read More Cybercriminal Twins Caught After They Forgot to Turn Off Microsoft Teams Recording Plus: Instructure’s Canvas ransomware debacle comes to a close, an alleged dark net market kingpin gets arrested, OpenAI workers fall victim to a supply chain attack, and more. Andrew Couts Discord Sleuths Gained Unauthorized Access to Anthropic’s Mythos Plus: Spy firms tap into a global telecom weakness to track targets, 500,000 UK health records go up for sale on Alibaba, Apple patches a revealing notification bug, and more. Matt Burgess Your iPhone Gets Stolen. Then the Hacking Begins A bustling underground ecosystem is providing criminals with the tools to unlock iPhones—and wage phishing attacks against their contacts to access bank accounts and more. Matt Burgess Hackable Robot Lawn Mower Unlocks a New Nightmare Plus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia's school for elite hackers, and more. Matt Burgess 90,000 Screenshots of One Celebrity's Phone Were Exposed Online Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure. Matt Burgess DHS Demanded Google Surrender Data on Canadian’s Activity, Location Over Anti-ICE Posts Using a 1930s trade law, Homeland Security targeted the man—who hasn’t entered the US in more than a decade—following posts on X condemning the killings of Renee Good and Alex Pretti. Maddy Varner Disneyland Now Uses Face Recognition on Visitors Plus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more. Andrew Couts US Special Forces Soldier Arrested for Polymarket Bets on Maduro Raid The master