April 2026 had a single thread running through almost every story: identity. Who you are is being attached to everything you do online, through breached government portals, biometric phone registration, device-level age checks, and mandatory ID wallets for social media. April also brought a sharp warning about AI-enabled cyberattack capability and a malware campaign that found a distribution channel nobody can shut down. Here’s what happened this month:
This Month at a Glance
⬇ France: 19 Million Government ID Records for Sale After ANTS Portal Breach: Hackers broke into France’s government portal for passports, ID cards, and driving licences. Up to 19 million records are now being sold on criminal forums, France’s third major government breach of 2026.
⬇ ShinyHunters Breaches Rockstar Games via a Trusted Third Party – 78.6 Million Records Leaked: Hackers entered Rockstar by compromising a smaller company Rockstar trusted. When Rockstar refused to pay on 14 April, 78.6 million records were published. The same group has now hit over 160 companies this year.
⬇ Anthropic’s New AI Model Is Too Dangerous to Release – But Older Ones Already Do the Same: Anthropic withheld its latest model because of how effectively it writes cyberattacks. A security firm then showed older, free models can do much the same.
⬇ AI Chatbots Give Flattering Answers Half the Time – and Users Cannot Tell: A Stanford study found AI chatbots give agreeable but wrong advice nearly half the time, and users trust those responses more. Even one such interaction made people less willing to hold themselves responsible for their decisions.
⬇ Omnistealer Malware Hides on the Blockchain Where It Cannot Be Taken Down: A new infostealer stores its instructions inside blockchain transactions that cannot be deleted. It targets password managers, browser logins, and crypto wallets. Around 300,000 credentials have been stolen so far.
⬆ Google Will Update All Its Encryption by 2029 to Prepare for Future Threats: Google has committed to upgrading its encryption across all products by 2029, ahead of any regulatory requirement.
⬇ 100 Countries, Three Frameworks, One Direction – The Global Digital ID Rollout Is Already Here: At least 81 countries now offer a government-linked digital ID, driven by the World Bank, the UN, and EU law. Every story this month about phone registration, age checks, and identity wallets is part of the same global project – and “voluntary” is increasingly a formality.
⬇ Mexico Requires All 127 Million Phone Numbers to Be Linked to Biometrics by 1 July: Every phone number in Mexico must be registered with a face scan and fingerprints by 30 June or go dark. Anonymous SIM cards will cease to exist.
⬇ Apple Now Requires UK iPhone Users to Prove Their Age or Lose Device Features: UK users who cannot verify they are 18 via a credit card or driving licence get a restricted device after updating to iOS 26.4. One in three UK adults has no credit card and one in five has no driving licence.
⬇ Germany Wants a Government ID Wallet Required to Log In to Any Social Media Platform: Germany’s governing coalition is pushing to make its EU digital identity wallet mandatory for social media access, with VPNs explicitly blocked as a workaround.
⬇ Hong Kong Police Can Now Demand Device Passwords from Anyone – Including Travellers in Transit: Since 23 March, Hong Kong police can require anyone – including airport transit passengers – to unlock their phone or laptop. Refusing is a criminal offence.
France: 19 Million Government ID Records for Sale After ANTS Portal Breach
On 15 April 2026, France’s ANTS portal, the government system for passports, national ID cards, driving licences, and immigration documents, was breached via a basic flaw that allowed one user to access another’s records simply by changing a number in a web address. A hacker posted 18 to 19 million records for sale on criminal forums the following day. Stolen data includes full names, email addresses, dates of birth, home addresses, and phone numbers. Scanned documents and biometrics were not taken. ANTS has notified France’s data protection authority, filed a criminal complaint, and alerted the national cybersecurity agency.
This is France’s third major public-sector breach of 2026. The data has not been freely leaked; it remains a private sale, but once it reaches buyers, it moves quickly into phishing and identity fraud campaigns. The mix of name, email, date of birth, and address is enough to craft convincing impersonation attempts against banks and government services. The lesson is one this newsletter has returned to often: centralising identity services into a single online portal concentrates risk too much.
To protect yourself, if you have used the ants.gouv.fr portal, be alert for any unsolicited message claiming to be from ANTS or a French administrative body. Verify any communication directly at ants.gouv.fr rather than clicking links.
Read more: France’s ‘Secure’ ID Agency Probes Claimed 19M Record Breach (The Register)
Continue reading: France Confirms Data Breach at Agency That Manages Citizens’ IDs (TechCrunch)
ShinyHunters Breaches Rockstar Games via a Trusted Third Party – 78.6 Million Records Leaked
ShinyHunters did not break into Rockstar Games directly. The group first compromised Anodot, a cloud analytics company Rockstar used to monitor its online services, and extracted login credentials that gave them access to Rockstar’s data warehouse as if they were a legitimate internal system. Rockstar confirmed a third-party breach affecting “non-material company information” with no impact on players. When Rockstar declined to pay the ransom on 14 April, 78.6 million records were published, internal analytics covering player behaviour, support data, and revenue metrics tied to GTA Online and Red Dead Online.
This pattern is now the dominant attack story of 2026. Booking.com, Zara, Carnival, and Kemper Corporation have all been confirmed or claimed by ShinyHunters this month using the same method: compromise a trusted vendor, use their credentials to enter the target. Over 160 companies have been hit. In none of these cases was the primary company’s own infrastructure directly attacked; access came through trusted integrations.
To limit your exposure, audit every third-party tool your organisation connects to: what data can it access, and what happens if its credentials are stolen? Enforce credential rotation and apply least-privilege access to every service account. If you are a Rockstar player, change your account password and review recent activity.
Read more: Rockstar Games Gets a Taste of Grand Theft Data (The Register)
Continue reading: Rockstar Games Confirms Data Breach in ShinyHunters Leak (Bitdefender)
Anthropic’s New AI Model Is Too Dangerous to Release – But Older Ones Already Do the Same
On 7 April, Anthropic announced it would withhold its new Claude Mythos Preview model from the public, citing its ability to find and exploit software vulnerabilities without a human expert guiding it. Alongside the announcement, it launched Project Glasswing to scan public and proprietary software for weaknesses using Mythos before attackers can access a comparable model. OpenAI responded within days, stating its own latest model carried similar risks and would also be withheld from unrestricted release.
The more important finding came from security firm Aisle, which replicated Anthropic’s results using older, freely available models. The gap between a withheld frontier model and what is already accessible is narrow. Schneier’s reading in the April Crypto-Gram is clear: he does not know whether the point where widely available AI models become good enough for serious cyberattacks has already arrived, but he has no doubt it is coming sooner than the security industry is ready for.
To stay prepared, assume the window between vulnerability discovery and exploitation is getting shorter. Automated patch deployment for critical systems is no longer optional. For individuals, keeping software updated and using multifactor authentication remain the most effective defences available.
Continue reading: On Anthropic’s Mythos Preview and Project Glasswing (Schneier on Security)
AI Chatbots Give Flattering Answers Half the Time – and Users Cannot Tell
A Stanford study in Science found that AI chatbots give agreeable but incorrect responses 49% more often than honest ones, and users trusted those answers more. Even a single flattering interaction made participants less willing to hold themselves responsible for their own decisions. Sycophancy is not an inherent property of AI; it is a deliberate design choice that drives engagement. Companies have a commercial incentive to build agreeable products and no requirement to make them accurate.
Treat AI advice on anything that matters as a starting point, not a verdict. If a response feels unusually aligned with what you hoped to hear, look harder and seek a second opinion before acting.
Read more: AI Sycophancy: Prevalence, Consequences, and Solutions (Science)
Omnistealer Malware Hides on the Blockchain Where It Cannot Be Taken Down
Omnistealer stores its instructions inside blockchain transactions, which are permanent and cannot be deleted or taken down. Most malware relies on conventional hosting that can be removed; this approach has no such weakness. It spreads through fake developer job offers on LinkedIn and Upwork, targeting password managers, browser credentials, and 60+ cryptocurrency wallet extensions. Around 300,000 sets of credentials have been confirmed stolen. Attribution points toward North Korean state-sponsored actors.
If you have accepted any unsolicited coding task through LinkedIn or Upwork recently, treat the machine that ran it as potentially compromised. Rotate all stored credentials and enable multifactor authentication on every account.
Read more: Omnistealer Uses the Blockchain to Steal Everything It Can (Malwarebytes)
Google Will Update All Its Encryption by 2029 to Prepare for Future Threats
Google has committed to upgrading all its encryption across Chrome, Workspace, and Google Cloud to resist future quantum computers by 2029. The move is voluntary and ahead of any regulatory deadline. Schneier endorses it not because a capable quantum computer is imminent, but because organisations that can update their encryption without disruption are better prepared for any cryptographic emergency. Those that wait tend to face rushed, costly migrations.
If your organisation processes data that must stay confidential for more than a decade, start an encryption inventory now. An attacker who captures data today can attempt to decrypt it later with a future quantum computer.
Read more: Google’s Cryptography Migration Timeline (Google Security Blog)
100 Countries, Three Frameworks, One Direction – The Global Digital ID Rollout Is Already Here
Mexico’s biometric SIM mandate, Apple’s age check in the UK, Germany’s identity wallet proposal, Hong Kong’s device password law, each looks like an isolated national decision. Together they are something else. At least 81 countries now offer a government-linked digital ID for online use, and three coordinated multilateral frameworks are driving simultaneous rollout worldwide: the World Bank’s ID4D initiative, active in nearly 60 countries; UN Sustainable Development Goal 16.9, which commits every member state to universal legal identity by 2030; and the EU’s eIDAS 2.0 regulation, which requires all 27 member states to offer a digital identity wallet to every resident by December 2026. These frameworks converge on the same destination: a world where every meaningful digital action is attached to a verifiable, government-held identity.
“Voluntary” rarely survives contact with reality. India’s Aadhaar is technically optional; refusing to enrol means losing access to banking, welfare, and a working phone. Mexico’s SIM law is not optional at all. The EU wallet is voluntary on paper, but the regulation says nothing about the quality of alternatives, so friction does the work that compulsion cannot. Germany wants to block VPNs as a workaround, which would require scanning all internet traffic at the network level. And this month’s ANTS breach shows what is at stake when this centralised infrastructure fails: a third of France’s population in one database, exposed by a basic flaw.
Follow the EU eIDAS 2.0 December 2026 deadline closely. Organisations such as EDRi, noyb, and Access Now are tracking these frameworks and publishing practical guidance. For individuals, the best protection is the one available now: encrypted communication tools, pseudonymous accounts where possible, and deliberate choices about which services you link to a verified government identity.
Read more: Global Progress in Identification: 3 Findings from the Latest Data (World Bank ID4D)
Continue reading: EU Says EUDI Wallet Is Voluntary; Germany’s SPD Plan Says Otherwise (Reclaim the Net)
Mexico Requires All 127 Million Phone Numbers to Be Linked to Biometrics by 1 July
Mexico’s mobile registration law requires every phone number in the country, prepaid or contract, SIM or eSIM, to be registered against the national biometric database by 30 June. Miss the deadline and the line goes dark on 1 July. Registration means linking your number to Mexico’s national ID system, which now requires a photograph, fingerprints, and iris scans. Around 127 million active lines are affected. Anonymous prepaid SIMs cease to exist. This is Mexico’s third attempt at mandatory mobile registration; earlier versions were struck down by courts on privacy grounds. US commentators are already asking when their country follows, given that mobile digital IDs are already accepted at TSA checkpoints in over 40 US states.
To protect yourself, if you have a Mexican phone number, register it before 30 June through your carrier. If you travel to Mexico and buy a local SIM after the deadline, registration will be part of activation. For everyone else: after 1 July, every number on Mexico’s network will be tied to a biometric identity held by the government.
Read more: Mexico Clarifies Rules Linking Biometric CURP to SIM Registration (ID Tech Wire)
Apple Now Requires UK iPhone Users to Prove Their Age or Lose Device Features
iOS 26.4, released in late March, requires UK users to prove they are 18 or older with a credit card, a photo driving licence, or an Apple ID already marked as 18+, or else their device will switch to a child-safe mode with filtered adult content, restricted web browsing, and locked-on message scanning. One in three UK adults has no credit card and one in five has no driving licence. Civil liberties group Big Brother Watch called it the most significant restriction on device freedom in UK history and noted that the iOS 26.4 release notes made no mention of the change. Apple went voluntarily beyond what current UK law requires, and the same measures are already in place in South Korea, with more countries to follow.
To make an informed decision, UK users can disable automatic updates in Settings before installing 26.4. If you need to verify without a credit card or driving licence, a PASS-scheme card (CitizenCard, TOTUM) is accepted. If you are outside the UK, this rollout is proceeding one country at a time.
Read more: Apple Rolls Out Age Verification in the UK with iOS 26.4 (TechRadar)
Continue reading: Apple’s New iPhone Update Is Restricting Internet Freedom in the UK (Big Brother Watch)
Germany Wants a Government ID Wallet Required to Log In to Any Social Media Platform
Germany’s SPD, the junior coalition partner in the current government, has proposed requiring the EU Digital Identity Wallet for all social media access: banned for under-14s, restricted to youth-only versions for 14 to 15-year-olds via a parent’s wallet, and full wallet verification required for everyone 16 and older before any login. The SPD also wants VPNs blocked as a workaround, which would require scanning all internet traffic at the national network level – the same approach used by authoritarian governments to control online access. Both governing parties now support mandatory ID for social media. The EU officially calls the wallet voluntary; Germany’s proposal would make it anything but.
To engage with these developments, follow the German coalition negotiations and the EU eIDAS 2.0 rollout deadline of December 2026. Support organisations including EDRi and noyb that are making the legal case against compelled use.
Read more: Germany Proposes EUDI Wallet as Mandatory Age Gate for Social Media (ID Tech Wire)
Hong Kong Police Can Now Demand Device Passwords from Anyone – Including Travellers in Transit
Since 23 March 2026, Hong Kong police can require any person, including passengers in transit at the airport, to hand over device passwords and encryption keys. Refusal is a criminal offence. The power is backed by the National Security Law, whose definition of national security covers political speech, journalism and pro-democracy groups. The US Consulate General has issued a formal travel warning. The law does not require police to suspect a specific offence before making a demand.
To reduce your exposure when travelling through Hong Kong, take a clean device with only what you strictly need, no cloud accounts signed in, and no sensitive files. Wipe it before you travel and restore from a remote backup on arrival. If you cannot travel clean, sign out of all communication apps before landing.
Read more: Hong Kong Police Can Force You to Reveal Your Encryption Keys (Schneier on Security)
Recommended Reading
- Crypto-Gram April 15, 2026 (Schneier on Security), covering AI sycophancy, post-quantum cryptography, the New Mexico court ruling threatening end-to-end encryption, and more.
- Lovable Data Breach April 2026: What Was Exposed and How to Respond (Bastion)
- List of Recent Data Breaches in 2026 (Bright Defense)
- Cybersecurity & Privacy News and Analysis (Law360)
- What is an IMAP account? (Mailfence Blog)
- Email Is Dead, Long Live Email (Mailfence Blog)
That’s All for This Month’s Newsletter!
April 2026 made one thing clear: the question of who controls your digital life is no longer abstract. France’s ANTS breach showed what is at stake when centralised identity infrastructure fails. Mexico, the UK, and Germany each showed a different mechanism by which voluntary becomes mandatory. And the AI sycophancy research was a reminder that the tools shaping our decisions are optimised for our approval, not our benefit. Stay sceptical of defaults and ask hard questions of the services you use. Thank you for reading, and we look forward to keeping you informed in May.
Best,
Patrick
Get the latest privacy news in your inbox
Sign up to the Mailfence Newsletter.
