In January 2026, a bug let Copilot read and summarize confidential emails in Sent Items and Drafts despite DLP restrictions. Microsoft confirmed a code error but wouldn't say how many were affected. Fix didn't roll out until February. US Congress banned Copilot for staffers. European Parliament blocked it on work devices.

Smart Features still scans every email, attachment, chat, and calendar event using AI — on by default. In the EU/UK these features ship off by default, an implicit admission of the risk. Full opt-out requires disabling two separate buried settings. Miss one and scanning continues.

AI training is turned on by default for new accounts. Users must navigate to a buried privacy controls page to opt out. Canva's AI Product Terms confirm it may analyze activity, content, media uploads to train algorithms and AI products using machine learning.

Truecaller builds its database by uploading the entire contact list of every user who installs the app. If your friend installs Truecaller, your name, phone number, and any other contact details they stored are uploaded to Truecaller's servers — without your knowledge or consent. An estimated 4 billion phone numbers are in Truecaller's database. You do not need to be a user to be in it.

In March 2026, ShinyHunters breached Aura — an identity theft protection company — by voice phishing one of its employees. 900,000 records were accessed in 60 minutes. When the breach appeared on Have I Been Pwned, Aura's own sponsored advertisement for identity theft protection was displayed directly above the details of Aura's own breach. The company you pay to protect your identity from breaches got breached. The attack took one phone call and one hour. You paid for a shield. The shield was made of paper.

In February 2026, hackers exploited an unpatched React vulnerability (CVE-2025-55182) to breach LexisNexis. The patch had been available for over two months. 400,000 user profiles and 21,000 enterprise accounts were exposed — including 118 .gov users: federal judges, DOJ attorneys, and SEC staff. 53 plaintext AWS secrets were stolen, including production database passwords. A company that sells data security and compliance tools to the legal profession left a known vulnerability unpatched for two months and stored AWS production passwords in plaintext. The platform federal judges use to research cases exposed those judges' personal information.

Notion's own help documentation confirms: "Agent users can retrieve information from resources they lack access to, or make edits if the agent has read and write permissions to those resources." When a department lead shares an agent with a team member, that team member can query the agent to access pages they personally cannot see. The agent's permissions override the user's — a structural privilege escalation. For non-Enterprise plans, LLM subprocessors retain data for up to 30 days.

The FTC sued Adobe and two executives -- Maninder Sawhney and David Wadhwani -- in June 2024 for hiding early termination fees that could cost hundreds of dollars. Adobe enrolled users in "annual paid monthly" plans, showing the monthly cost prominently while burying the early termination fee (50% of remaining monthly payments) in fine print. Cancellation required navigating multiple pages, encountering resistance from customer service representatives, dropped calls, dropped chats, and multiple transfers. An unidentified Adobe executive described the early termination fee as "a bit like heroin for Adobe." The U.S. Department of Justice settled the case for $150 million. A separate class action lawsuit was filed in California federal court over the same practices. Adobe was required to clearly disclose ETFs before enrollment, remind customers before converting free trials to paid subscriptions, and provide easy cancellation methods.