- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° Your Weekly Security Update
- 𤨠This Should Be on Your Radar đĄ
- đ Security Fail of the Week đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, just do these three things to protect yourself:
- If you havenât already, enable Face ID on your iPhone. Face ID keeps your iPhone secure and prevents others from being able to unlock your device.
- Switch to an alphanumeric passcode for extra security. An alphanumeric passcode is much more difficult to guess than a four- or six-digit passcode since you can use letters and symbols.
- Disable Face ID if you are ever compelled to unlock your iPhone. If youâre ever in a situation where someone might try to force you to unlock your iPhone with Face ID, you can lock your phone in an instant and disable Face ID.
Whatâs the safest way to send a sensitive document? đ¤
- Signal
- iCloud share
- Dropbox
- Google Drive
Scroll to the bottom to see how you did!
Luxshare, a tech manufacturer based in China, was hit by a cyberattack last month. Luxshare handles manufacturing for several tech companies, including Apple, Nvidia, and Tesla. That means that any data that was stolen could include confidential information about these companiesâ products, like 3D models, component designs, circuit board-manufacturing data, and more. Additionally, employee names, job titles, and email addresses were also exposed. The attackers, a group called RansomHub, have threatened to leak the stolen data if Luxshare does not contact them (and presumably pay a ransom). Read more about this cyberattack at Cybernews.
The Bottom Line: This cyberattack could prove devastating for the companies involved. The stolen data could be used by competitors to manufacture counterfeits or reveal hardware vulnerabilities for hackers. However, weâre hopeful that the stolen data will prove inconsequential and that Apple (as well as the other affected companies) can patch any possible hardware exploits.
ICE Facial Recognition App Incorrectly Identifies Citizen
Mobile Fortify is an app used by Immigration and Customs Enforcement (ICE) to identify whether or not someone is a US citizen. The app works by using facial recognition to determine an individualâs identity. The agency believes that the appâs facial recognition is so accurate that it should be trusted over a birth certificate. However, last year, a woman in Oregon was arrested by ICE, and the app incorrectly identified her, not once but twice. Mobile Fortify gave two different names when the womanâs face was scanned, neither of which was correct, leaving many to wonder just how reliable this app really is. You can read more about Mobile Fortify and this particular incident at 404 Media.
The Bottom Line: Software is not infallible, especially when it comes to facial recognition. Think about how many times youâve gone to unlock your iPhone with Face ID only for that little lock icon to shake and prompt you to enter your passcode instead. If Face ID, which is supposed to be more secure than a password, can fail like that, surely an identification app based on facial recognition can fail just as easily. That means law enforcement could easily arrest law-abiding citizens based on false information if Mobile Fortify incorrectly identifies them as undocumented immigrants.
Data Breach at Grubhub
Grubhub is the latest victim of a data breach. The popular food delivery platform has not offered many details, only confirming that a breach occurred and that no customer financial information was stolen. The company has also said that it is working with a cybersecurity firm to investigate the breach. According to BleepingComputerâs sources, the company is likely being extorted by the ShinyHunters hacking group. However, neither Grubhub nor ShinyHunters has commented on the incident.
The Bottom Line: If you are a Grubhub customer, the company will likely divulge more details about the breach and notify you if your data was affected. In the meantime, we recommend updating your Grubhub password and freezing your credit, in case any of the data from the breach could be used to steal your identity.
The Electronic Frontier Foundationâs Security Plan
We recently found that the Electronic Frontier Foundation (EFF) has a website dedicated to Surveillance Self-Defense, where you can find a variety of guides on helping you improve your digital security. One of the basics you can start with is setting up a security plan. While this particular guide hasnât been updated since 2023, the advice and instructions provided are still relevant today.
The Bottom Line: The EFFâs security plan is an easy-to-follow, actionable guide that can get you started with improving your personal security. Check it out to make sure youâre protected and prepared.
European Rail System Breached
Eurail, a popular rail system used throughout Europe, was breached recently. The breach included information such as order numbers, customer details, names, and the names of traveling companions. In some cases, passport details, including passport numbers, may have also been exposed. Eurail customers who received a pass through the DiscoverEU program have possibly also had their bank account reference numbers leaked as well. Check out Eurailâs statement for more details.
The Bottom Line: If youâre a Eurail customer and your passport was leaked, we would recommend investing in a credit monitoring service to ensure your identity isnât stolen. Eurail is likely contacting affected customers about this incident as well.
Hacker Steals More Than $200 Million in Cryptocurrency
Cryptocurrency blockchain researcher ZachXBT reported last week that a hacker made off with $282 million in cryptocurrency. The attacker used a social engineering scam to gain access to the victimâs cryptowallet. ZachXBT did not go into detail about the attack or its victim. Check out the full story at CoinDesk.
The Bottom Line: Social engineering scams are easy to fall for, since they prey on your willingness to trust another person, even if you donât know them. However, you should never hand over confidential information, whether itâs a crypto address or your bank account number, without knowing exactly who you are giving it to.
Web Traffic Down for Many Publishers Due to AI Summaries
The PressGazette reports new data from Chartbeat showing that referral traffic from Google searches to publishers declined by a third in 2025. The data seems to indicate that the decline is due to the rise in Google AI summaries, which provide quick and easy answers to any search query, negating the need to click through to any websites. That means users are taking Google AI summaries at face value rather than scrolling through search results and visiting a reputable website. While this isnât necessarily a privacy or security concern, it does affect websites like our own as well as those of other independent publishers and news sites. Websites that rely on regular visitors could be in trouble if this trend continues. Head over to PressGazette for more on the report.
The Bottom Line: This newsletter serves to compile the latest security and privacy news and deliver it to you in a digestible format. It only works because we are able to pull from many different sources. If you want to support publishers like the websites we include each week, you can help by clicking the links in this newsletter. Additionally, when looking at an AI overview, there is usually a link icon at the end of each paragraph, which you can click to find sources for the information provided in the overview. Better yet, you can visit Googleâs Support page for AI Overviews to find instructions on how to disable it.
Hackers Can Access Some Wireless Earbuds
Android users who use wireless earbuds may be at risk of a new vulnerability called WhisperPair. In the same way AirPods seamlessly connect to your iPhone and other devices, Googleâs Fast Pair devices can quickly connect to Android phones. In addition to Google, Fast Pair audio devices are manufactured by other tech companies like Sony, JBL, OnePlus, and others. The WhisperPair vulnerability allows potential hackers to connect to affected devices without the owner knowing. Once connected, attackers can access the microphone and location-tracking features. Find out more about WhisperPair at Ars Technica or check out the list of vulnerable devices.
The Bottom Line: If you use any Fast Pair devices, you could be vulnerable to WhisperPair, even if you donât own an Android phone. WhisperPair can be combated by factory resetting your device after it has been compromised. However, it can still be hacked again even after itâs been reset. Thankfully, most manufacturers will likely begin pushing out firmware updates to patch this vulnerability, so if you own any of the devices in the list linked above, be sure to install the deviceâs companion app, if there is one. Having the companion app will allow you to install updates for your audio devices as soon as they are available.
Hacker Helps Media Corp Patch Vulnerability But Steals Data Anyway
A hacker going by the name of Lovely discovered a serious vulnerability in the cybersecurity of CondĂŠ Nast, the media parent company of Wired, Ars Technica, and many others. After many failed attempts to contact the company to inform them of this vulnerability, Lovely reached out to DataBreaches, a website dedicated to reporting the latest hacks and data breaches. With DataBreachesâ help, Lovely was able to get in contact with CondĂŠ Nast, but not before downloading more than 33 million profiles using the very vulnerability they were trying to warn the company about. It turns out, Lovely had apparently been leaking data from Wired on various forums while claiming they only wanted to warn CondĂŠ Nast about the security flaw. You can read the full story at DataBreaches. Itâs quite an interesting read.
The Bottom Line: Thereâs not a whole lot of practical advice for this story, other than maybe not to trust self-professed hackers or scammers. Even still, itâs an interesting story, and DataBreaches no doubt still did CondĂŠ Nast a favor by making the company aware of a flaw in its security.
Tennessee Man Hacks the Supreme Court
A 24-year-old named Nicholas Moore allegedly hacked the US Supreme Court over the course of three months. Moore reportedly accessed the Supreme Courtâs filing system 25 different times between August and October 2023. The Department of Justice has not made any details public about what Moore did while in the filing system or what data he accessed, but he is expected to plead guilty to computer fraud. As an ordinary citizen, Mooreâs hack of the Supreme Court brings into question the countryâs cybersecurity. You can read more about the case at TechCrunch.
The Bottom Line: If someone like Moore can break into the countryâs highest court, it really makes us wonder what a state-sponsored hacker could be capable of. We hope this incident has encouraged the Supreme Court to start taking its cybersecurity more seriously.
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.2
- The most recent macOS is 26.2
- The most recent tvOS is 26.2
- The most recent watchOS is 26.2
- The most recent visionOS is 26.2
Read about the latest updates from Apple.
The correct answer is 2: Signal. Signal is encrypted end-to-end, which means you can be confident that no message can be intercepted or recorded permanently except by the sender and the receiver. The Signal Foundationâa nonprofit that runs the servers used by Signal and maintains the appâdoesnât record metadata about who you contact or when using Signal, unlike WhatsApp. Itâs free, super easy to set up, easy to use, and itâs the safest way to send messages, including sensitive documents. We have no relationship with Signal; this isnât an ad. Usually, there is some nuance in a topic like this: some apps are better in some ways, and others are better in other ways. Thatâs not the case right now. For the moment, Signal is the best app to use when you want to send secure and private information between private individuals, acting in a private capacity. The EFF published a step-by-step guide for how to use Signal.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Interested in securing your iPhone data? Check out:
|
