Microsoft Recall on Copilot+ PC: testing the security and privacy implications

The report shows that Microsoft Recall only requires biometrics during initial onboarding but thereafter can be unlocked with a Windows Hello PIN, allowing an attacker who knows or guesses the PIN to search, view, export, and reenable Recall to record activity, including deleted content; tests reproduced access by a non-technical person and found sensitive-data filtering unreliable (e.g., credit card details were recorded).