Microsoft fined $20 million for collecting kid’s data.

Jun 08 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that remembers when heat-waves were welcomed in the UK and not met with Heat-health Alerts (HHA). Yep, there’s an acronym ????????????

Today’s hottest cyber security stories:

  • Microsoft fined $20 million for collecting kids’ data off XBOX

  • Registrations for domains similar to ChatGPT up 910% ???? Wonder why

  • 0mega ransomware gang switches from data encryption to data theft


First it was Apple, now it’s Microsoft. They just can’t leave their customers’ data alone, can they? And this time it’s kids! No shit, that’s Bill Gates’ company. We’ve seen the Lolita Express flight logs, Bill. Epstein didn’t kill himself. Sorry, moving swiftly on…

It’s no secret that kids are a major economic force. Indeed, total revenue of the world toy market was recorded at over 104 billion U.S. dollars in 2021 and the global toy market has grown by more than 13% since 2018.

Microsoft knows this and has been looking to exploit this further. Unfortunately for them, they didn’t cover their tracks well enough and, as such, the U.S. Federal Trade Commission (FTC) busted their ass to the tune of a whopping $20 million fine.

Okay, Microsoft isn’t short of a few bob but still, nobody likes to pay a fine of that size so presumably this’ll make them think twice before snooping around kids’ data. The creeps ????

Enter, the FTC

"Our proposed order makes it easier for parents to protect their children's privacy on Xbox, and limits what information Microsoft can collect and retain about kids," FTC's Samuel Levine said.

"This action should also make it abundantly clear that kids' avatars, biometric data, and health information are not exempt from COPPA."

Get this, Microsoft, per the FTC, violated COPPA's consent and data retention requirements by requiring those under 13 to provide their first and last names, email addresses, dates of birth, and phone numbers until late 2021.

Aside from the fact that Microsoft acted illegally by collecting that data, just imagine if that sort of data was to get into the wrong hands.

Imagine if this information was hacked and sold on the dark web, for example. Disgusting. Honestly, it seems foolish for any service or company to be asking children under the age of 13 (18, even!) for details so personal.

"It wasn't until after users provided this personal information that Microsoft required anyone who indicated they were under 13 to involve their parent," the FTC said.

"The child's parent then had to complete the account creation process before the child could get their own account."

Microsoft, however, chose to flout the rules and retain data collected from children during the account creation step for years even in scenarios where a parent did not complete the signup process. Shocking.

Xbox, in response, said it's taking additional steps to improve its age verification system. ‘Bout time!


Some things never change. Classic malware techniques are being employed to target the soaring popularity of OpenAI’s ChatGPT service.

These traditional phishing tactics aren’t particularly sophisticated but you’d be surprised how often people fall for them, hook, line, and sinker.

What they do is they buy domains that are oh-so-similar to a popular website so that people, in haste, will click away innocently looking to cheat on an essay and BAM, they’re on a malicious landing page. It’s just that easy, folks.

“Between November 2022-April 2023, we noticed a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT,” according to the latest Network Threat Trends Research Report from Unit 42, the threat research arm of Palo Alto Networks.

“It suggests that cybercriminals are looking to exploit the popularity of ChatGPT to spread potentially unwanted or harmful software,” Palo Alto Networks said in the report.

So, our advice as always is to use bookmarks for services you use a lot and, of course, read the f*cking URL. Carefully.

And be especially careful when clicking links that appear on a google search. It’s alarming how highly these fakes can ‘rate’, SEO wise, at times. We’re talking the top half of page one, people!


0mega (with a zero, yo) ransomware group is relatively new to the game but already they’ve switched their tactics up. 

Instead of encrypting victims’ data and asking for money to de-encrypt, they’ve switched to straight data theft and extortion. I guess the encryption was the beta version of their modus operandi ????

Now they’ve moved on to an effective formula of cyber-smash and grab. And extort.

SaaS account compromise + data theft = extortion

The attackers first compromised one unnamed company’s Microsoft Global accounts that did not have multi-factor authentication enabled. There’s a lesson there…

“The compromised service account granted the 0mega account site collection administrator capabilities to multiple SharePoint sites and collections, while also removing existing administrators.

“Over 200 admin removal operations occurred within a 2-hour period,” the team shared.

Damn, son. One to watch out for. Did we just make 0mega sound like a promising sporting prospect? ????

Stay safe, cyber-warriors!

So long and thanks for reading all the phish!

Recent articles