Security Newsletter | 1/29/26

If you take nothing else from this newsletter, just do these three things to protect yourself:

1. Create a password-sharing group to share passwords with friends and family. If you share an account with a friend or family member, creating a password-sharing group in the Passwords app will keep your passwords secure.
2. Remove location metadata from photos and videos before sharing. If you have Location Services enabled, your photos and videos are tagged with location data that others can see. Luckily, it can easily be removed.
3. Take a few minutes to perform a Safety Check on your iPhone. The Safety Check feature allows you to review which apps and contacts have access to your personal data.

With increased immigration enforcement happening all over the country, most notably these days in the Twin Cities, the odds of witnessing an encounter with law enforcement or having one yourself have gone up significantly. It’s important to know what steps you can take from a digital privacy and security standpoint to stay safe.

Any time you're in public, you should know that photos and videos can be used to identify you or others who might be in the background of your recording, and metadata can be used to track your location. Law enforcement can and has used this information to identify citizens recording their actions. That’s why it’s important to take certain precautions, like disabling location tracking for the Camera app, turning off Face ID, and setting an alphanumeric passcode. To ensure maximum privacy, you should also make sure message previews are switched off. These are just a few of the steps you could take to protect yourself, but The Conversation has a detailed breakdown of some of the more nuanced options. Check out their article for more.

It is and has always been legal to record law enforcement activity, both with photos and videos, but it can also pose certain risks to the person recording. Different states have different laws about how close a bystander is allowed to get while recording police, and it is never legal to interfere in law enforcement operations.

The Bottom Line: Before you go to any event where law enforcement might be present, consider taking some extra steps to protect your digital privacy.

Entering the US May Soon Require Five Years of Social Media History

Under new rules from the Department of Homeland Security, foreign travelers entering the United States may soon be required to turn over five years of social media history to Customs and Border Protection (CBP) before entering the country. Additionally, CBP could require travelers to submit biometric information, like fingerprints or even DNA. CBP says that these new rules, which only apply to citizens from countries that are a part of the Visa Waiver Program, are to protect the US from terrorist attacks and hateful ideology. You can read more at NPR.

The Bottom Line: Using social media history as a benchmark for whether or not someone should be allowed into the country is uncharted territory. Without any clear-cut guidelines about what might cause someone to be denied entry, it gives CBP authority as to what constitutes a threat to the US. Regardless of the intent of these new rules, they’re certainly going to make traveling to the US more difficult for tourists.

149 Million Passwords Leaked

A security researcher recently discovered a massive database of 149 million usernames and passwords for sites and apps like Gmail, Facebook, Apple, Netflix, and many others. The database was completely unsecured and fully available to the public. It is unknown who the database belonged to, but the researcher successfully contacted the hosting service and had the database taken down. However, anyone could have downloaded or copied the database while it was up, putting millions of accounts at risk. Read more at Wired. The database was likely compiled by data-stealing malware.

The Bottom Line: As always, you should be using a password manager for this exact reason. Passwords get leaked all the time, and if you use the same password across multiple services, one leak means they’re all leaked. A password manager can ensure you have a unique password for every login, so if it’s leaked, your other accounts won’t be compromised.

Related: Best Password Manager for Your iPhone
 

Infostealer Malware Sneaks into Google Search Results

A common malware distribution technique has been gaining traction in the last few months. An ongoing campaign is using Search Engine Optimization (SEO) poisoning to trick unsuspecting macOS and Windows users into downloading infostealer malware. SEO poisoning works by tricking search engines into thinking that a malicious site is the most likely to answer a user’s search query. In one recent example, attackers set up a GitHub repository that looks to belong to a legitimate app developer using commonly searched keywords. For example, if one were looking to download an app called PagerDuty, they might enter the name of the app into Google and come across a GitHub link that looks like it belongs to the app developer. Then, when attempting to download the PagerDuty app from GitHub, the user instead downloads the infostealer malware. You can read more about this campaign at Daylight.

The Bottom Line: Always download apps from the macOS App Store. If the app you are looking for is not available on the App Store, be sure to seek out the app’s official website. Do not download apps from third-party sites or sketchy GitHub repositories.

Massive Number of SMS Messages Freely Visible Online

Most phones these days use encryption for their text messages, either the Apple iMessage protocol or the RCS messaging used by Android phones. But the old unencrypted SMS system is still in use. A paper published last week and reported on by Ars Technica found that more than 175 different companies involved in managing phone networks had set up more than 700 different nodes in the networks that were recording unencrypted SMS messages into archives freely visible on the internet. Put another way: millions of people’s text messages were just visible on the internet. Sign-in links sent via text message are a common way to log in or authenticate your account for many websites and apps, and those links were publicly visible as well, putting the accounts at risk

The Bottom Line: If a service you use offers a sign-in link that is sent over text message, avoid using it if possible. The message may be sent using SMS, and SMS messages are not very secure. iMessage and RCS messaging are more secure, but there is no way to know if a website or service is going to use one of those when messaging you a login link or MFA code. Instead, where possible, rely on generating codes with your password manager, or (better yet) use a passkey.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 26.2.1
• The most recent macOS is 26.2
• The most recent tvOS is 26.2
• The most recent watchOS is 26.2.1
• The most recent visionOS is 26.2

Apple rolled out a minor bugfix with iOS 26.2.1 and watchOS 26.2.1 to address unspecified problems in the support for AirTags 2. 

Additionally, older iPhones recently received a new update to iOS 12.5.8. The update renews certificates that allow these older iPhones to continue using iMessage, FaceTime, and other Apple services. Read about the latest updates from Apple.

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.