Mozilla researchers reported that period-tracking app Stardust transmitted users’ sensitive health information to third-party analytics company RudderStack, despite the app’s privacy-focused branding. According to the findings, the shared data included birthdate, birth control type, reproductive goals, symptoms, and a unique identifier that could link records back to individual users. The report said the practice exposed highly personal reproductive-health data to an outside company and contradicted claims that the app was designed to protect user privacy.
The disclosure renewed scrutiny of health-app data handling and echoed longstanding warnings that techniques such as hashing do not make personal data anonymous if records can still be tied to individuals. Researchers said such sharing can create legal and security risks, including exposure through breaches, commercial reuse, or law-enforcement demands. In Mozilla’s testing of six period-tracking apps, Stardust was the only app observed sending sensitive health data to another company, while Euki was highlighted for keeping core health data on the user’s device.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Mozilla researchers reported that the period-tracking app Stardust shared sensitive user health information with third-party analytics firm RudderStack, including details such as birthdate, birth control type, reproductive goals, symptoms, and a unique identifier. The researchers also said Stardust was the only app among six tested that they observed sending such sensitive health data to another company.
The U.S. Federal Trade Commission published guidance explaining that hashed personal data can still be identifiable and should not be treated as anonymous data.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.