Google faces ‘spam ads’ ePrivacy complaint in France

Google is facing a fresh privacy complaint in Europe over ads it inserts into its Gmail email service in the guise of emails.

Privacy advocacy group, noyb, has filed the complaint with France’s data protection watchdog, the CNIL, claiming the adtech giant has breached the European Union’s ePrivacy Directive rules on direct marketing by failing to gain consent from Gmail users for the ads it displays inside their inboxes, alongside promotional emails they have actually signed up for.

noyb’s complaint cites a ruling by the EU’s top court last year, in a separate case related to the use of email for direct marketing, which it argues makes it plain that ads which are displayed inside a user’s inbox constitutes “a use of electronic mail for the purposes of direct marketing” — which, under ePrivacy rules, requires user consent. (The Gmail advertising emails only distinguish themselves from genuine emails users have signed up for by the inclusion of an ‘ad’ label and the lack of a date-stamp.)

The complaint asserts that Gmail users did not consent to being spammed with Google’s ads — noting that, under ePrivacy, consent would have needed to be obtained prior to the ads being displayed in their inboxes.

noyb also argues that exceptions set out in relevant EU law do not apply here because Google’s ad emails are not used for the direct marketing of similar products for which consent was previously obtained.

“It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider,” added Romain Robert, lawyer at noyb, in a statement. 

Google was contacted for comment on the complaint.

France’s CNIL has been an active regulator of Google on privacy issues, making use of the competency it can exert under ePrivacy — which, unlike the General Data Protection Regulation, does not require cross-border complaints to be funnelled through a lead DPA (in Google’s case, Ireland’s Data Protection Commission) — avoiding the GDPR bottleneck that has slowed down privacy enforcement against Big Tech.

Back in December 2020, the CNIL fined Google $120M for dropping tracking cookies without consent — after finding it had breached ePrivacy rules. It followed that up with another beefy fine — $170M — this January for dark patterns it found Google deploying in cookie consent flows.

Those French ePrivacy enforcements soon led to Google announcing an updated cookie consent banner in Europe which finally offered users a top-level option to refuse all its tracking — suggesting muscular enforcement of laws defending web users rights and freedoms can face down the power of Big Tech.

The CNIL also managed to slap Google with an early GDPR enforcement, back in 2019, prior to a legal switch which brought the company’s EU users under the jurisdiction of its Irish subsidiary (instead of its US parent) — thereby ensuring that subsequent GDPR complaints against Google have been routed through Ireland.

Hence the majority of GDPR enforcement on major complaints against Google — such as over the legality of its adtech (a formal investigation was opened in May 2019); or its location tracking practices (under probe in Ireland since February 2020) — remain in limbo as the Irish regulator’s painstaking procedures grind on. But decisions must flow eventually — within months or years.

It will be interesting to see which arrives first: A decision from France’s CNIL on this fresh noyb complaint against Google’s Gmail ad spam (filed August 2022) — or a final decision from Ireland on Google’s adtech or location tracking.

In the meanwhile, noyb has been pressing another series of strategic complaints against Big Tech by targeting b2b users of Google Analytics and Facebook Connect across the EU — which has led to a number of breach findings and warnings from DPAs against use of Google’s analytics software, with France’s watchdog putting out guidance in June that warns users of the tool of the need to apply additional safeguards to ensure their implementation complies with GDPR requirements on data transfers outside the bloc or else switch to a compliant (non-Google) alternative.

Facebook also has a major decision hanging over it related to a long-standing complaint about its EU data exports which was originally filed by noyb’s chairman — long before he founded the privacy advocacy group.

Twitter fixes security bug that exposed at least 5.4 million accounts

Twitter says it has fixed a security vulnerability that allowed threat actors to compile information of 5.4 million Twitter accounts, which were listed for sale on a known cybercrime forum.

The vulnerability allowed anyone to enter a phone number or an email address of a known user and learn if it was tied to an existing Twitter account, potentially exposing the identities of pseudonymous accounts.

In a brief statement published Friday, the microblogging giant said, “if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any.”

Twitter said it fixed the bug in January — six months after the bug was initially introduced to its codebase — after a bug bounty report by a security researcher, who was awarded $6,000 for disclosing the vulnerability.

According to the bug bounty report, the vulnerability posed a “serious threat” to users who have private or pseudonymous accounts, and could be used to “create a database” or enumerate “a big chunk of the Twitter user base.” It’s similar to a vulnerability discovered in late 2019 that allowed a security researcher to match 17 million phone numbers to Twitter accounts.

But the researcher’s warning came too late. Hackers had already exploited the vulnerability during that six-month window to create a database of email addresses and phone numbers of 5.4 million Twitter accounts.

Twitter said it learned about the exploitation from an unspecified press report in July, which found a listing on a cybercrime forum claiming to have user data “from celebrities to companies,” and OGs, referring to custom or highly sought-after social media and gaming usernames.

“After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter said. “We will be directly notifying the account owners we can confirm were affected by this issue.”

It’s the latest security incident to hit Twitter in recent years. In May, Twitter agreed to pay $150 million in a settlement with the Federal Trade Commission after the company misused phone numbers and email addresses, which users submitted for setting up two-factor authentication, for targeted advertising.

Discord gives servers a way to intercept spam and harmful content, will expand premium memberships

Discord is introducing a native way for servers to preemptively detect and block harmful messages and spam. The tool, called AutoMod, is available today and will allow anyone who moderates one of Discord’s server-based communities to create a custom list of words that the new bot can scan for and intercept.

When one of the target words is detected, the bot can automatically block that message so it never hits the server, send an alert to a specific channel to give moderators the head’s up or put a user in “timeout” by temporarily turning off their ability to send messages. Discord will also provide a pre-built list of words and phrases that are commonly flagged by mods that can easily be toggled on without building a custom keyword list.

“I think one of the big pain points that we’ve heard from a lot of moderators is that they spend a lot of time policing their servers, as opposed to actually doing the things that they want to do, like running events [and] creating culture,” Discord Head of Creator Product Marketing Jesse Wofford told TechCrunch.

Unlike existing tools, Discord’s AutoBot can preemptively scan conversations, identifying anything with the targeted keywords before it ever appears in chat. External tools previously didn’t have the permissions required to see messages before they hit a server and instead would automatically moderate them a few seconds afterward. Discord says that it will give its developer community the ability to build onto AutoMod’s preemptive detection ability now that the new native tool is in the wild.

“There are a lot of moderation bots on Discord and I think they’ve actually been doing a lot of the heavy lifting for now,” Wofford said. “We’ve taken a lot of inspiration from them in terms of what’s working for them and actually chatting directly with developers and chatting to our admins about what they like.”

Discord is increasingly building some of the features its users previously incorporated through external services into its core app. Users have long relied on the app’s external ecosystem of plug-in tools to do everything from welcoming new server members and scanning for harassment to DJing music within channels and playing mini games.

Wofford says that Discord wants developers to “come along for the ride” and remain relevant even as the company integrates features that external bots previously provided to its community.

Beyond introducing AutoBot, Discord also announced that it will expand premium memberships, a Patreon-like way for active community members to pay for perks and additional server access.

Discord first announced a pilot program for premium memberships back in December. The company started by giving a small cluster of communities access to the feature set, which allows servers to make a portion of or all of their content available to paid members only. The early servers that tested premium memberships included a game tutorial community, The Trans Community Center and Stream Professor, which offers guides for people getting into livestreaming.

The idea is to both make the work of maintaining a Discord community more “sustainable” and to bring outside payments users make for premium content on Patreon or elsewhere into Discord itself.

This summer, Discord will begin allowing more servers to enable premium memberships, but the company isn’t yet opening the feature to anyone. Discord will allow servers in the U.S. with under 500 members to apply for the program, but will still hand review those communities to ensure that the rollout is smoothly and the company learns along the way.

“We want to make sure that we’re being very thoughtful about people coming in,” Wofford said. “We think that we’re creating a really new paradigm for career monetization, when it comes to the idea of community being something of value you can monetize. And I think we’re playing the long game here.”

Discord is also introducing two new resources for mods and admins that manage communities: a community resource center stocked with educational information to help servers get up and running and a special hub where community admins can interact with Discord’s staff, get news and join events.

Workrise fixes API that spilled users’ personal information

Workforce management unicorn Workrise has fixed an exposed API that was spilling some users’ personal information.

The Austin, Texas-based startup, which previously went by RigUp, was founded in 2014 as a marketplace for on-demand and skilled labor in the oil and gas industry. The company changed its name to Workrise in February 2021 to accommodate a broader set of energy sectors, like solar, construction and defense. By May 2021, Workrise said it had raised $300 million at a $2.9 billion valuation. But last month, Workrise announced layoffs that reportedly hit hundreds of the company’s 600 employees after the mid-pandemic pivot failed to pan out.

Now, a security researcher who goes by the handle Rzlr told TechCrunch that they found an exposed Workrise API that allowed anyone to retrieve personal information about subcontractors directly from Workrise servers without needing a password.

The API was able to return names, email addresses and some employment details about subcontractor’s work, and names and email addresses about the people who provided references for the subcontractors, such as their former colleagues and managers.

In simple terms, an API allows two things to talk with each other over the internet, like a smartphone app, a Peloton bike, or door locks that need to communicate with their servers. In this case the unauthenticated API could be queried using a web browser by plugging in a unique four-digit user ID that corresponds with a subcontractor’s review. But the user IDs were sequential, allowing anyone to access another subcontractor’s information simply by changing the user ID by a single digit, a common security flaw known as an insecure direct object reference bug — though Rzlr said not every digit returned a valid response.

Several of the exposed records seen by TechCrunch were created as far back as 2019 and marked as “draft.”

Rzlr said in their limited testing of 1,000 records, they found more than 920 records with names and email addresses. Rzlr said the API did not limit the amount of data that could be downloaded, which they warned could have presented a scraping risk.

A screenshot shared with TechCrunch showed that the data could be easily scraped.

TechCrunch emailed CEO Xuan Yong and COO Mike Witte, who did not respond, but a short time later the API was no longer publicly accessible and was protected by a login page. In an emailed response, Eric Murphy, Workrise’s vice president of security, told TechCrunch: “Users maintain public profiles by default,” said Murphy. “To the extent Workrise determines any active user data was exposed that was not intended to be public, Workrise plans to notify those users directly.”

Rzlr said they contacted several Workrise email addresses on April 22 — including Murphy’s and the company’s main security email address — about the exposed API. When asked why the API was not secured for two weeks until TechCrunch contacted the company, Murphy said the researcher’s emails were marked as spam.

Workrise also fixed a second API issue that allowed anyone to obtain users’ referral codes, which could then be used to query the API to obtain the name, email address, phone number and the referral payment amount of users who invited others to join the site.

When asked if the company had carried out security audits of its systems, Murphy said the company had undergone “multiple” third-party audits but declined to name the company that allegedly performed them.

ProtonMail buys email alias startup SimpleLogin

Proton, the Geneva, Switzerland-based startup behind the eponymous E2E encrypted webmail service ProtonMail, has acquired French startup SimpleLogin, which offers a freemium, open source service for creating email aliases to let people shield their actual email address when they sign up for digital services.

Paris-based SimpleLogin was founded back in 2019 and works as a browser extension, web app and mobile app — also offering users with a dashboard where they can disable aliases (such as if one starts getting spammed); and manage multiple real email addresses (i.e. if they have a number of email accounts which they want to be able to send aliased emails from).

The startup has grown to more than 100k users, with more than 2M email aliases created to date. We’re also told its monthly growth rate is in the double digits.

There is a fair amount of service overlap already between SimpleLogin and Proton with around a quarter of SimpleLogin users also being ProtonMail users, according to a Proton spokesman, who talks up “strong synergies between us”.

Commenting on being acquired in a statement, Son Nguyen Kim, founder and CEO of SimpleLogin, added: “SimpleLogin’s mission is to protect your online identity… We like Proton’s mission, its transparency, open-source nature, and user-first culture. It’s exciting to know what we can do with Proton experience and resources.”

Financial terms of the acquisition are not being disclosed.

In a blog post announcing the acquisition, Proton’s founder and CEO Andy Yen also flags the overlap, writing: “We have been following SimpleLogin closely for a long time as many ProtonMail users utilize it to prevent their ProtonMail addresses from being leaked to spammers.”

“SimpleLogin is a complementary service to ProtonMail,” he adds. “ProtonMail protects your data privacy with encryption, while SimpleLogin prevents malicious actors from discovering your actual email address by hiding your email.“

Proton’s plan is to more deeply integrate SimpleLogin functionality into ProtonMail — meaning its wider user-base will be able to hide their email addresses using SimpleLogin without having to sign up separately for the latter service.

Proton will also be maintaining SimpleLogin as a separate service, per Yen.

“If you already use SimpleLogin with ProtonMail, things will continue to work the same as before,” he says. “SimpleLogin will continue working as a separate service, and the SimpleLogin team will continue building new features and adding functionality but now with the benefit of Proton’s infrastructure and security engineering capabilities.”

SimpleLogin’s team will continue to operate out of Paris where Yen says Proton will now be actively seeking to recruit from as it continues to expand the business, adding that its hope is to create “dozens” of jobs in the coming years.

The acquisition marks a further expansion of Proton’s suite of services — which as well as E2E web mail for individuals and business users includes an own brand VPN, a calendar product and cloud storage (aka Proton Drive).

Sustaining a privacy-focused business model which does not rely on data mining users to generate revenue encourages expansion into additional, aligned service areas to maximize cross-selling opportunities. Hence we’ve also seen the non-tracking browser, DuckDuckGo, bolting on a number of additional services in recent years as competition hots up for privacy-centric services.

Most pertinently, DuckDuckGo launched an email protection service last summer which offers a fairly similar email shielding feature as SimpleLogin — providing users with a free personal email address (albeit merely to forward email to the user’s regular inbox; DuckDuckGo claims it doesn’t save your emails and isn’t (as yet) offering a like-for-like webmail service).

It’s clear that increasing competition in the privacy space is leading to previously once very distinct services to range further and start to overlap territorially. For users the upshot is more fully featured privacy products that promise to shield more of their online activity from prying eyes.


Cloaked raises $25M Series A to generate privacy-friendly identities on the fly

Cloaked, a Boston-based startup that allows users to generate unique email addresses and phone numbers when creating online accounts, has secured $25 million in Series A funding.

Founded in 2020 by brothers Arjun and Abhijay Bhatnagar, Cloaked allows privacy-conscious individuals to create unique identifiers. The service, available as an app and a browser extension, creates “cloaked” identities — such as emails, phone numbers, passwords, and credit card numbers — that can be unique to any given online service. Cloaked operates like a password manager, but rather than saving a user’s passwords, the platform creates and replaces personal information with “cloaked” data.

Unlike other services that generate identifiers, such as Apple’s Hide My Email, Cloaked’s smart settings make it easy for individuals to personalize and customize how each identity works. For example, individuals can choose what, when, where and with whom they share information, and each email address and phone number can be turned on/off, snoozed, expired, and automatically updated if compromised. Users can also choose whether they want messages to auto-forward to personal emails and phone numbers or for them to live within Cloaked.

Cloaked says it keeps personal information private from the start, with every user owning an encrypted database where all their personal information is stored, giving them the keys and control to manage or delete at any point.

“People liked this idea of feeling known, but not surveilled,” Abhijay tells TechCrunch. He said that those currently using Cloaked in an early preview are creating identifiers for online banking to online dating. “We really want to rebuild people’s relationship with not just their data, but technology as a whole,” he said.

Cloaked offers a service like a password manager but for generating online identities. (Image: supplied)

Cloaked, which is currently a free service but plans to move to a freemium model, tells TechCrunch that its Series A funding, which was co-led by Lux Capital and Human Capital, will help it to continue to build out its product and exit beta. The startup now has a 26-strong team of fully-remote employees and is looking to hire. “We’ll be sticking to remote-first,” Arjun says. “This broadens our ability to hire the best taken in the world wherever they are, and we want to make sure that our team is full of the smartest people around.”

Cloaked is the second startup founded by the Bhatnagar brothers. Prior to launching their latest venture, they founded and sold Hey! HeadsUp, an online platform that allows users to add tasks to other peoples’ schedules without sharing multiple calendars and event invites.

Too much email? Try Gated, which asks unknown senders to make a donation first

If you aren’t drowning in email these days, you either don’t have an email account or you are a very young person who marketers haven’t discovered quite yet (they will!).

To push back against the assault, a 10-month-old, Bay Area-based startup called Gated has emerged with an approach to help both overwhelmed email recipients and hopefully benefit society at large. The big idea: to force unknown senders to donate to a nonprofit chosen by the email recipient in order to get into their inbox. Want to tell strangers about your event next month, pitch your company, sell your gizmo? That’s fine, but it’s going to cost you — maybe a lot, depending on who you’re trying to reach.

Gated — founded by Andy Mowat, an angel investor who was most recently the VP of growth operations at the employee engagement startup CultureAmp —  works by creating a separate folder in one’s Gmail account. According to Mowat, the software automatically builds a list of allowed senders based on who the email holder has communicated with previously; when unknown senders reach out, they’re promptly moved into this separate folder, where they’re told they can only reach the user’s inbox if they make a donation to that person’s charity of choice. The individual sets the price — beginning with a minimum of $2 per email — after which 70% of the payment goes to the (vetted) nonprofit. The rest flows to Gated, whose software is free.

Unsurprisingly, venture capitalists, who are the target of hundreds of pitches each day, love the idea. Indeed, Gated is announcing that it has raised $3.3 million in seed funding led by Corazon Capital, with participation from Precursor Ventures, Burst Capital, Tuesday Capital and other early-stage funds.

Of course, as much as the concept may resonate with potential users (waves hand), it also raises questions, including, first and foremost, around privacy.

For its part, Gated says it never reads the contents of any message. “We’re only looking at the metadata, the ‘to’ and the ‘from,'” says Mowat. Even still, there are only so many people being flooded by enough strangers’ requests that Gmail filters aren’t enough. Some of those people are likely influential in their own way and might not love Gated mapping their connections over time.

Another challenge is that not everyone uses Gmail, which is the only platform to approve the use of Gated’s software to date. (Mowat says the company is going through the “next round of reviews” with Microsoft, noting that some email platforms have “had some other partners burn them in the past” so they “put everyone through a security review.”)

Gated is also not a lucrative business to start, though as with most startups, that could surely change. As Mowat tells us, a large chunk of the revenue Gated expects to receive will end up going toward payment fees to cover the cost of all these transactions. While he and his small team are already thinking about micropayments schemes so Gated isn’t eaten alive by credit card fees, it’s not there yet.

As for how Gated grows, beyond articles like this one, the outfit is counting on a heavy viral component to spread the word at first. That seems like a reasonable approach, given that even two weeks ago, Gated already had a wait list of 2,500 people, according to Mowat, despite having not yet launched publicly.

Later, Gated also plans to develop a business-to-business product, where marketers work with Gated to develop a budget that allows their sales teams to send out a certain number of emails per month.

By the way, if you’re wondering: An email recipient who uses Gated is under no obligation to answer an email, no matter how much someone has paid to get it into their Gmail account.

According to Mowat, the response rate the company is seeing with its beginning user base is higher than average. “Between 40% to 60% of all donated emails are replied to, with some users replying to every single email because they really appreciate people respecting their time.” Others, he adds, still reply “very infrequently.”

It’s also worth noting that a “donor” does not have unfettered access forever to the inbox of an email recipient. “There’s some subtleness to it,” says Mowat, but basically, if a recipient responds to an email, the email sender is placed in a known sender group by default. Still, that sender can be dragged back to that Gated folder at any time.

And there’s a third option called “mute.” Says Mowat, “That basically means, ‘Don’t send them another challenge email. But also don’t put them in my inbox.'”

Google discovers threat actor working as an ‘initial access broker’ for Conti ransomware hackers

Google’s Threat Analysis Group has observed a financially-motivated threat actor working as an intermediary for the Russian hackers, including the Conti ransomware gang.

The group, which Google refers to as “Exotic Lily,” acts as an initial access broker, finding vulnerable organizations and selling access to their networks to the highest bidder. By contracting out the initial access to a victim’s network, ransomware gangs like Conti can focus on the execution phase of an attack.

In the case of Exotic Lily, this initial access was gained through email campaigns, in which the group masqueraded as legitimate organizations and employees through the use of domain and identity spoofing. In the majority of cases, a spoofed domain was nearly identical to the real domain name of an existing organization, but changed the top-level domains to “.us,” “.co” or “.biz.” In order to appear as legitimate employees, Exotic Lily set up social media profiles and AI-generated images of human faces.

The attackers, which Google believes are operating from Central or Eastern Europe due to the threat actors’ working hours, would then send spear-phishing emails under the pretext of a business proposal, before ultimately uploading a payload to a public file-sharing service such as WeTransfer or Microsoft OneDrive.

“This level of human interaction is rather unusual for cybercrime groups focused on mass-scale operations,” notes Google researchers Vlad Stolyarov and Benoit Sevens in a blog post shared with TechCrunch before publication.

These malicious payloads initially took the form of documents containing an exploit for a zero-day in Microsoft’s MSHTML browser engine (tracked as CVE-2021-40444), before the attackers switched to the delivery of ISO disk images containing hidden BazarLoader payloads. Google researchers say this shift confirms Exotic Lily’s relationship with a Russian cybercrime group tracked as Wizard Spider (also known as UNC1878), which is linked to the notorious Ryuk ransomware that has been used to target businesses, hospitals — including U.S-based Universal Health Services — and government institutions since 2018.

While the nature of this relationship remains unclear, Google says that Exotic Lily appears to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware.

Exotic Lily, which was first observed in September 2021 and is still active today, was sending more than 5,000 phishing emails a day to as many as 650 organizations during the peak of its activity, Google said. While the group initially seemed to be targeting specific industries such as IT, cybersecurity and healthcare, it has more recently begun attacking a wide variety of organizations and industries, with less of a specific focus.

Google has also shared indicators of compromise (IOCs) from Exotic Lily’s large-scale email campaign to help organizations defend their networks.

Google Docs now lets you draft emails with others and export them to Gmail

Google is introducing a new feature in Google Docs that aims to make it easier to collaborate on an email draft, the company announced on Wednesday. The new Google Docs email draft template lets users draft emails and then export them to Gmail.

The launch is part of Google’s Smart Canvas push that leverages the “@ menu,” which lets users quickly perform actions. The email draft template can be accessed by entering “@email” in a Google Doc. Doing so will surface a template that includes To, Cc, Bcc and Subject lines. When you’re ready to send the email, you can select the Gmail icon to export your draft to the emailing service. A Gmail compose window will pop up and all of the email fields will be automatically filled out with the information you entered in the email draft in the Google Doc.

gmail email draft

Image Credits: Google

“We’re making it easy to collaborate on an email draft in Docs with the new email draft template,” Google said in a blog post about the new feature. “You can mention people in the recipient fields using the @ menu without having to remember their email addresses, and collaborate on the message body using comments and suggestions.”

The feature was first teased in February and is now starting to roll out to all Google Workspace customers, as well as legacy G Suite Basic and Business customers. Google hasn’t mentioned availability for personal use, but TechCrunch has reached out to the company to learn more. It’s worth noting that Gmail features often first roll out to G Suite customers before launching for consumers. For instance, business customers got access to Gmail’s deeper integrations with Chat, Meet and Rooms before consumers did. 

The new email draft template will be useful in instances where teams need to collaborate on an email together. Although you could always copy and paste the text from Google Docs and Gmail, this new integration makes it easier to use both of these products in one place and get things done faster.

Nvidia confirms it is investigating a cybersecurity incident

U.S. chipmaker Nvidia has confirmed that it’s investigating a cyber incident that has reportedly downed the company’s developer tools and email systems.

Nvidia told TechCrunch in a statement that the nature and scope of the incident are still being evaluated, adding that the company’s commercial activities have not been impacted as a result.

“We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time,” the statement read.

While Nvidia isn’t sharing any more details about the incident, The Telegraph reports that the company’s email systems and developer tools have been suffering from outages over the last two days following a “malicious network intrusion.”

Citing an insider, the report claims that the company’s systems was “completely compromised,” but added that portions of its email systems had started working on Friday.

It’s not yet clear whether hackers obtained data on Nvidia or its customers, nor whether any of its partners were affected. Nvidia has not yet identified the culprit, and customers say they had not been informed of any incident, according to The Telegraph’s report.

News of a potential cyberattack at Nvidia comes just weeks after the Santa Clara-based company terminated its $40 billion bid to acquire British chip designer Arm. The company said the decision was mutual, resulting from “significant regulatory challenges preventing the consummation of the transaction, despite good faith efforts by the parties.”