It Takes 2 Minutes to Hack the EU’s New Age-Verification App

The European Commission’s newly released age‑verification tool was meant to close the loophole that lets minors access adult content online. However, security consultant Paul Moore showed that the app’s PIN storage can be reverse‑engineered in less than two minutes, allowing attackers to hijack user profiles. This discovery not only jeopardizes the personal data of millions but also raises questions about the EU’s ability to enforce robust security standards on open‑source solutions, especially when the technology is mandated across member states.

The vulnerability appears amid a broader spate of high‑profile data incidents. Basic‑Fit, Europe’s biggest gym chain, confirmed that the personal and banking information of roughly one million members was exposed, while Booking.com reported unauthorized access to customer names, contact details, and reservation histories. Simultaneously, the decentralized social network Bluesky wrestled with a sophisticated DDoS attack that disrupted feeds and notifications, and Russia’s Grinex exchange suffered a $13 million theft, which the platform attributes to state‑sponsored hackers. These events illustrate a pattern: even well‑funded, regulated entities are struggling to keep pace with evolving cyber threats.

For businesses and policymakers, the converging crises signal an urgent need for stronger security governance. Regulators may push for mandatory third‑party audits, stricter encryption requirements, and faster vulnerability disclosure processes. Companies, in turn, must prioritize secure development lifecycles, continuous penetration testing, and rapid incident response capabilities. As digital services become increasingly intertwined with everyday life, the cost of complacency grows—not just in financial terms, but in consumer confidence and regulatory credibility.