Mailfence Privacy Digest December 2025, N°8

Featured image for the Mailfence Privacy Digest December 2025

Table of Contents

Share this article:

Welcome to the December edition of Mailfence’s Privacy and Cybersecurity Newsletter! The past month has served as a sobering reminder of how vulnerable our digital lives remain – and how quickly governments and corporations can reshape the landscape. From browser extensions secretly harvesting AI conversations to platforms monetising your chatbot confessions, this month exposed just how deeply our personal data can be exploited. Meanwhile, India attempted to mandate spyware on a billion devices, the EU is planning its next strike on encryption, and AI researchers discovered you can trick chatbots into revealing nuclear secrets with a simple poem. Here’s what happened this month:

Mixpanel Breach Exposes Pornhub and SoundCloud Users

  • A smishing attack on analytics firm Mixpanel led to ShinyHunters extorting Pornhub over 200 million Premium member records, including viewing histories.

Chrome Extension Caught Harvesting 8 Million Users’ AI Chats

  • Urban VPN Proxy secretly logged and sold conversations from ChatGPT, Claude, Gemini, and other AI platforms to data brokers since July 2025.

India’s Spyware Mandate: Ordered, Then Reversed

  • India ordered smartphone makers to preload an undeletable government surveillance app on 1.2 billion devices – then backed down after Apple refused, and public outrage erupted.

ProtectEU: The EU’s Next Attack on Encryption

  • The European Commission’s “Going Dark” initiative, now rebranded as ProtectEU, aims to give law enforcement access to encrypted data by 2030, with VPN services now explicitly on the target list.

Australia’s Social Media Ban Forces Biometric Checks

  • Australians must now hand over their faces, IDs, and biometrics to prove they are not children – all in the name of protecting under-16s from social media.

EU Digital Wallet Coming in 2027: ID Cards Move to Mobile Phones

  • Member states must make digital identity wallets available to all citizens by late 2026, with banks and major platforms required to accept them by December 2027.

X Updates Privacy Policy for EU Compliance

  • X (formerly Twitter) now removes content “considered harmful or unsafe under local laws” in the EU and UK, marking a departure from its “free speech absolutism” rhetoric. 

Switzerland Rejects Palantir Over Data Sovereignty Risks

  • After years of lobbying, Switzerland formally declined to use Palantir’s software, concluding the risks of US government access to sensitive data were unacceptable. 

Poems Can Jailbreak AI Into Making Nuclear Weapons

  • European researchers discovered that phrasing requests as poetry bypasses safety guardrails on 25 major AI models, with success rates reaching 90% on some platforms. 

Privacy-First Carrier Launches: No ID Required

  • Phreeli, a new US mobile carrier, requires only a Postcode to sign up – no name, address, or government ID – signalling growing demand for privacy-respecting alternatives. 

Mixpanel Breach Exposes Pornhub and SoundCloud Users

December began with the revelation of a far-reaching breach affecting analytics firm Mixpanel, which counts around 8,000 corporate customers. The attack, which occurred on 8 November via a sophisticated SMS phishing campaign, has now exposed data belonging to users of Pornhub, OpenAI, SoundCloud, CoinTracker, SwissBorg, and potentially hundreds of other companies. The notorious ShinyHunters hacking collective claimed responsibility and has begun extorting affected organisations.

Pornhub confirmed that “select Premium users” had their data exposed, including email addresses, viewing histories, search queries, and timestamps of activity spanning from 2016 to 2023. Although Mixpanel disputes that Pornhub’s data came from its November incident, ShinyHunters asserts it holds over 200 million records totalling 94 GB. Meanwhile, SoundCloud acknowledged that approximately 20% of its users, roughly 28 million accounts, were impacted. The breach underscores how third-party analytics providers have become single points of failure for vast swathes of sensitive user data.

To limit your exposure, assume that metadata (email, location, device info, and usage patterns) from any service using Mixpanel may have been exposed. Change passwords and enable multifactor authentication on all affected accounts (especially email, social media, and financial services). Be particularly vigilant for extortion attempts: Pornhub has warned users to expect sextortion emails. Given the sensitive nature of the exposed viewing data, affected individuals should be prepared for targeted blackmail attempts and avoid responding to any such communications.

Read more:

Chrome Extension Caught Harvesting 8 Million Users’ AI Chats

Security researchers at Koi Security uncovered that Urban VPN Proxy, a Chrome and Edge extension with over 8 million users and Google’s “Featured” badge, had been secretly harvesting users’ AI chatbot conversations since July 2025. The extension captured every prompt and response from ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI, then sold this data to third parties through data broker BiScience.

The harvesting began with version 5.5.0 released on 9 July 2025. Researchers also identified three related extensions with identical functionality: 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker. All four have since been removed from the Chrome Web Store. Users who installed these extensions for privacy protection inadvertently gave away their most sensitive AI interactions, including professional queries, personal conversations, and potentially proprietary business information. The breach exposes a fundamental paradox: the very tools marketed to protect privacy can be weaponised against users.

To protect yourself, immediately remove any Urban VPN extensions and related products. Review all browser extensions you have installed and limit them to those from verified, trusted developers. Consider using standalone VPN applications rather than browser extensions, as these operate at the system level and are less prone to data harvesting. Assume that any prompts submitted through AI assistants whilst using these extensions may have been captured and sold. For sensitive work, use AI tools through official interfaces rather than through third-party integrations.

Learn more:

India’s Spyware Mandate: Ordered, Then Reversed

In a dramatic turn of events, India’s telecom ministry issued a confidential order on 28 November directing all smartphone manufacturers to preload the government’s Sanchar Saathi app on every device sold in India. The order required the app to be unremovable, with manufacturers given 90 days to comply. Existing devices would also need to receive the app via software updates. With 1.2 billion smartphone users, this would have represented the largest mandated surveillance deployment in history.

The backlash was immediate and fierce. Opposition parties labelled Sanchar Saathi a “snooping app” and drew comparisons to Pegasus spyware. Digital rights organisation Internet Freedom Foundation warned the directive would turn every smartphone into “a vessel for state-mandated software that the user cannot meaningfully refuse.” Apple reportedly refused to comply, citing its policy of never preloading government applications on devices. By 3 December, amid mounting public outrage, the government reversed course, stating the app would remain voluntary.

To protect yourself, if you are in India, be aware that whilst mandatory preloading has been cancelled, the government continues to expand Sanchar Saathi’s capabilities. The app can still be downloaded voluntarily and is positioned as essential cybersecurity infrastructure. Exercise caution about installing any government-mandated security applications. This incident demonstrates how quickly mandatory surveillance measures can be proposed and how public pressure can sometimes reverse such initiatives. 

Continue reading:

ProtectEU: The EU’s Next Attack on Encryption

The European Commission lost the Chat Control 2.0 battle – but it is already preparing for Chat Control 3.0. The “Going Dark” initiative has been rebranded as ProtectEU, and its mission remains unchanged: to enable law enforcement authorities to “access encrypted data in a lawful manner” by 2030. What has changed is the scope: member states are now explicitly discussing whether VPN services should be included in new data retention requirements.

A “Presidency outcome paper” circulating among EU member states reveals the ambition to have “the broadest possible scope of application” for metadata retention, covering which websites you visit, who you communicate with, when, and how often. VPN providers, previously on the periphery of these discussions, are now directly in the crosshairs. The ProtectEU strategy also calls for a Technology Roadmap on encryption, with the goal of equipping Europol with “next-generation decryption capability” by 2030. Privacy advocates including EDRi and the EFF have warned that any attempt to create “lawful access” to encrypted data inherently undermines the security of all users.

To protect yourself, continue using services with genuine end-to-end encryption and support organisations fighting for strong privacy protections. Stay informed about upcoming negotiations between EU institutions. If you use a VPN, choose providers based in jurisdictions with strong privacy laws and strict no-logging policies. Be aware that whilst these proposals are still in the planning phase, they signal a sustained effort to weaken encryption across Europe.

Read more:

Australia’s Social Media Ban Forces Biometric Checks

As of 10 December 2025, Australia’s social media age restrictions took effect, requiring major platforms including TikTok, Instagram, Facebook, Snapchat, X, YouTube, and Reddit to take “reasonable steps” to prevent under-16s from creating or keeping accounts. Platforms are now demanding age verification from all users, not just children. Australians are being asked to hand over government-issued ID, bank account connections, or submit to facial age estimation just to continue using the apps they have had for years.

The irony is stark: whilst the law aims to protect children, adults are the ones being subjected to invasive identity verification. Platforms like Snapchat are using third-party services to verify ages through bank connections, photo ID scans, or biometric facial analysis. Privacy advocates have warned that this creates new attack surfaces for data breaches and normalises mass identity verification for everyday online activities. The law carries penalties of up to AUD 50 million for non-compliant platforms, pushing companies to implement the most invasive checks possible as a defensive measure.

To limit your exposure, understand that blanket age verification is not strictly required by the law – platforms can choose their own methods. If asked to verify your age, understand the options available: bank-verified identity disclosure is more invasive than AI-based age estimation, for instance. Consider whether you truly need access to platforms that demand such extensive identity checks. Support advocacy efforts pushing for privacy-preserving alternatives. Be aware that circumvention methods exist, but may carry their own risks.

Learn more:

EU Digital Wallet Coming in 2027: ID Cards Move to Mobile Phones

The EU Digital Identity Wallet (EUDI) is progressing rapidly, with member states required to make wallets available to all citizens by the end of 2026. By December 2027, banks, telecoms, healthcare providers, and Very Large Online Platforms will be legally required to accept the wallet for user authentication. Over 350 companies and public authorities across 26 member states are already participating in pilot programmes testing use cases from bank account opening to mobile driving licences.

The wallet promises selective disclosure: proving you are over 18 without revealing your exact birthdate, for instance. Data is stored locally on your device with encryption, and you control what information is shared. However, privacy advocates raise concerns about the overall system. The wallet creates a single identity framework that could enable unprecedented tracking if misused or compromised. Critics note that whilst individual credentials are well protected, the system normalises digital identity verification for everyday activities, potentially enabling broader surveillance infrastructure. Participation remains voluntary – you can continue using physical documents – but regulated industries will be required to accept wallet-based authentication.

To protect yourself, stay informed about your member state’s implementation plans. Consider carefully which services genuinely need access to your digital credentials. Whilst the wallet’s architecture is designed with privacy in mind, any centralised identity system creates potential risks if compromised. Remember that the goal is convenience and security, not surveillance – but vigilance is warranted.

Continue reading:

X Updates Privacy Policy for EU Compliance

X has quietly updated its terms of service to acknowledge that in the EU and UK, it will remove not only illegal content but also content “considered harmful or unsafe under local laws.” The update, which took effect in December 2025, represents a significant departure from Elon Musk’s previous “free speech absolutism” positioning and reflects pressure from the EU’s Digital Services Act.

The European Commission fined X €120 million on 5 December – the first penalty under the DSA – for breaches including deceptive use of its blue verification checkmark, lack of advertising transparency, and failure to grant researchers access to public data. Musk responded by calling for the EU to be “abolished,” whilst X blocked the Commission from purchasing advertisements on its platform. The privacy policy update also includes references to age assurance technology and updates for DSA compliance, including clearer information about users’ rights to appeal content moderation decisions.

To protect yourself, EU users should be aware they now have specific rights under the DSA to challenge content removal decisions through independent dispute settlement bodies. Review X’s updated terms to understand how content moderation applies in your jurisdiction. Be aware that content visible in one country may be restricted in others based on local legal requirements. Consider diversifying your social media presence across platforms with different governance approaches.

Read more:

Switzerland Rejects Palantir Over Data Sovereignty Risks

After years of lobbying by Palantir, including multiple personal visits by CEO Alex Karp, Switzerland has formally rejected using the US company’s software for its military and federal agencies. A 20-page risk assessment concluded that deploying Palantir’s systems would pose unacceptable risks to data sovereignty, with officials warning that sensitive information could fall under US legal authority through the CLOUD Act.

The Swiss Army’s evaluation found that whilst Palantir offers genuinely powerful data analytics capabilities, the risks outweighed the benefits. Key concerns included potential loss of control over sensitive national data, dependency on external personnel for maintenance, and the proprietary nature of the software limiting transparency and auditability. Swiss officials explicitly noted that “Palantir is a US-based company where there is a possibility that sensitive data could be accessed by the American government and intelligence agencies.” The decision contrasts sharply with Germany, where several state police forces are actively implementing Palantir software despite civil rights concerns.

To protect yourself, this case offers lessons for organisations evaluating foreign technology vendors. Consider data sovereignty implications when selecting software, particularly for sensitive applications. Understand that cloud-based tools may be subject to foreign legal orders regardless of where data is physically stored. Evaluate alternatives from European providers or open-source solutions that can be audited and controlled locally. Switzerland’s decision demonstrates that rigorous risk assessment can prevail over years of vendor lobbying.

Poems Can Jailbreak AI Into Making Nuclear Weapons

Researchers at Icaro Lab, a collaboration between Sapienza University in Rome and the DexAI think tank, have discovered that phrasing dangerous requests as poetry can bypass safety guardrails on 25 major AI models with alarming success rates. Hand-crafted poems achieved an average jailbreak success rate of 62%, whilst AI-generated poetic prompts succeeded 43% of the time. On some frontier models from OpenAI, Meta, and Anthropic, success rates reached 90%.

In one documented case, an unspecified AI was “wooed” by a poem into offering detailed instructions for producing weapons-grade plutonium. The researchers explain that poetic language operates at “high temperature,” using unpredictable word sequences and fragmented syntax that can evade safety classifiers trained on direct prose. The researchers withheld the actual jailbreaking verses, describing them as “too dangerous to share with the public.” Interestingly, smaller models like GPT-5 Nano proved more resistant, possibly because they lack the interpretive sophistication to decode poetic metaphors – or simply because their limited capabilities make the responses less useful.

To protect yourself, this research primarily concerns AI developers and policymakers. For ordinary users, the finding reinforces that AI safety guardrails are not foolproof. Be sceptical of claims that AI systems are “safe” or “aligned” – the poetry jailbreak demonstrates that creative adversaries can find unexpected pathways around safety measures. For organisations deploying AI, recognise that current guardrails represent a baseline, not a guarantee. 

Learn more:

Privacy-First Carrier Launches: No ID Required

In a refreshing counterpoint to the surveillance trends dominating this month’s news, privacy-focused mobile carrier Phreeli launched commercially in the US in December. Described as the “world’s first privacy-by-design mobile carrier,” Phreeli operates as an Mobile Virtual Network on T-Mobile’s network and requires only a Postcode to sign up – no name, no address, no government ID. The company pledges never to collect, sell, or share customer data.

Phreeli represents a growing market for privacy-conscious alternatives to mainstream services. Just as social media users have faced choices between platforms with different value propositions – from X to Bluesky to Mastodon – the same is increasingly true across the technology stack. Other developments point in similar directions: Switzerland has built Apertus, a public AI model free from the profit-driven incentives of commercial alternatives. Nonprofit initiatives like AllenAI and EleutherAI are developing open-source AI tools that can run locally under users’ control. The choices we make as users help shape the broader ecosystem.

To protect yourself, consider whether privacy-focused alternatives exist for the services you use daily. For mobile connectivity, carriers like Phreeli offer an alternative to the data-hungry practices of major networks. For AI, explore options like Switzerland’s public Apertus model or locally-run open-source tools. Remember that voting with your wallet – choosing privacy-respecting services even when less convenient – sends market signals that influence the broader industry direction.

Continue reading:

That’s All for This Month’s Newsletter!

December 2025 has closed out the year with one clear message: the battle for privacy is far from over. Whether it is governments mandating surveillance apps, platforms monetising your AI conversations, or researchers proving that poetry can unlock nuclear secrets, the need for vigilance has never been greater. Yet amidst the concerning trends, there are reasons for cautious optimism – from Switzerland rejecting foreign surveillance software to India backing down on mandatory spyware, public pressure and principled resistance can make a difference. As AI capabilities advance and regulatory landscapes shift, informed users remain the last line of defence. Thank you for reading, and we hope this newsletter helps you navigate 2026 with greater awareness and control. See you next month.

Best,

Patrick

Get the latest privacy news in your inbox

Sign up to the Mailfence Newsletter.

Reclaim your email privacy.
Create your free and secure email today.
Picture of Patrick De Schutter

Patrick De Schutter

Patrick is the co-founder of Mailfence. He's a serial entrepreneur and startup investor since 1994 and launched several pioneering internet companies such as Allmansland, IP Netvertising or Express.be. He is a strong believer and advocate of encryption and privacy.

Recommended for you