- 🗒️✅ Your Security Checklist
- 🏆🎖️ Test Your Security Skills
- 📰 Your Weekly Security Update
- 🤨 This Should Be on Your Radar 📡
- 🙈 Security Fail of the Week 👎
- 🍎📱 Security Updates from Apple 🍎
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Update your iPhone to iOS 26 if you haven't already. There is a new exploit in iOS 18 that leaves older iPhones vulnerable to attack. This exploit is patched in iOS 26, so you should update as soon as possible.
- Turn off app tracking. Many apps will request permission to track your activity both inside and outside the app, but you can disable app tracking altogether.
- Enable Lockdown Mode to protect your iPhone from cyber attacks. If your iPhone is infected with malware, you can enable Lockdown Mode to take back control of your device.
What should you do in the following scenario?
You receive an alarming email suggesting that you’ve recently made a large purchase. You know you did not make this purchase. The email appears to be from a payment processor (e.g., PayPal) that you regularly use and seems legitimate. What should you do? 🤔
- Ignore the email.
- Without clicking any links in the email, visit your bank’s website to dispute the charge.
- Dial the number in the email.
- Without clicking any links in the email, visit the website for the payment processor to dispute the charge.
Scroll to the bottom to see how you did!
A new elite malware has been discovered. It's called DarkSword, and it's capable of compromising any iPhone running iOS 18 or earlier when that phone merely visits an infected website. It is extremely rare for malware to target an iOS as recent as iOS 18, and it is even rarer to be able to do it as effectively as DarkSword. To make matters much worse, DarkSword's complete source code was made available for anyone to download, ensuring that it is already in the hands of criminal hackers all over the world.
Over the years, we have covered the occasional hacker tool capable of compromising an iPhone. These have always been "top shelf" elite tools developed for espionage services like the NSA or their contractors and intended to target specific, high-value individuals. They are not tools of mass surveillance. In other words, elite spyware that can hack an iPhone has historically been something that very few iPhone owners needed to worry about. Not so with DarkSword.
iOS 18 is only two years old, and a huge number of users have been reluctant to upgrade to the next operating system (iOS 26). This leaves roughly one-third of iPhones still on iOS 18, and vulnerable to DarkSword, a malware that is easy to use and already in the hands of low-level criminals all over the world. That trifecta of factors makes this probably the most serious iPhone security issue we’ve ever reported.
The Bottom Line: If you are still running iOS 18, it’s time to upgrade to iOS 26. Don’t wait. Updating to iOS 26 fixes the vulnerabilities exploited by DarkSword.
Apple Releases Multiple iOS Updates
Apple released multiple updates over the last week, the first being iOS 26.3.1 (a). Apple referred to this as a Background Security Improvement, a first-of-its-kind type of update that patches existing versions of iOS to fix security issues and vulnerabilities. Less than a week later, Apple pushed out iOS 26.4, which contained the same security fixes from the 26.3.1 (a) update, along with a handful of other features. Find out what's new in our new Insider newsletter, iOS Release Radar.
The Bottom Line: If you have automatic updates enabled, you likely already have one or both of these updates installed. If not, we recommend updating as soon as possible. iPhone updates are more than just new features; they keep your device protected from dangerous exploits like the one seen above in our top story.
Privacy-Focused OS Refuses to Comply with Age Verification Laws
California recently passed a law requiring operating systems to ask the user's age during setup. California’s age verification law differs from others in that it doesn't require the OS to collect IDs or facial scans. The user simply needs to enter their age. However, privacy-focused operating system GrapheneOS has stated that it will not comply with the law, even if it means devices with GrapheneOS installed cannot be sold in the state. Read more about GrapheneOS at Tom's Hardware.
The Bottom Line: Age verification should not come at the expense of user privacy, something that GrapheneOS clearly understands and believes in. Thankfully, California's age verification law is not as invasive as some others, and Apple seems to have developed a more private method of verifying ages.
Data Breach at Popular Anime Streamer
Popular anime streamer Crunchyroll was breached by hackers this month, through its customer service platform, Telus. Hackers gained access to a customer support agent's account and downloaded 8 million support tickets, revealing usernames, email addresses, location data, and more. In some cases, the last four digits of credit card numbers and their expiration dates were also exposed. The hackers had 24 hours to steal the data before they were locked out, and are now demanding $5 million from Crunchyroll. The company is currently investigating the breach. Read more at Bleeping Computer.
The Bottom Line: If you have an account with Crunchyroll and have ever opened a customer support ticket, you may be affected by this breach. Crunchyroll will likely notify its customers of the breach with more details in the coming weeks.
Tax Scams on the Rise
Tax season in the US is in full swing, and scammers are as active as ever. The deadline to file is fast approaching, making it easy for scammers to induce panic and apply pressure on those who have not yet done so. Microsoft's Threat Intelligence team has identified multiple ongoing phishing campaigns that are using last-minute tax filing to their advantage. These campaigns involve malicious emails, QR codes, websites, and more. Check out Microsoft's security article to learn what to be on the lookout for.
The Bottom Line: If you receive emails about filing your taxes that seem a little too good to be true, exercise caution and verify the sender before doing anything. Scammers will be looking to take advantage of anyone who hasn’t filed their taxes yet.
Firefox to Start Offering a Free VPN to Users
Mozilla is making its VPN free for users of Firefox. Starting with the newest update to Firefox (version 149), Mozilla VPN has been integrated into the web browser and can be used for free for up to 50 GB per month. It will only work with web traffic inside of Firefox, which means data transmitted from other applications (like emails sent from a third-party app or traffic from other web browsers) will not be protected. This feature is slowly rolling out to users, so if you have the latest version of Firefox and don’t see the VPN, it may not be available to you yet. Read more in Mozilla's blog post.
The Bottom Line: This free version of Mozilla VPN is a great option for those who don't currently pay for a VPN service and who don’t need full-time protection. The 50 GB offered by Mozilla VPN should be enough to keep your internet connection private when using public Wi-Fi, but it likely won’t be enough to last the entire month if you keep it turned on constantly. For full-time VPN use, you'll need to upgrade to a paid VPN service, like NordVPN or Ghostery.
This Company Broadcasts Your Zoom Meetings As Podcasts Without Your Permission
A company called WebinarTV has been caught creating unauthorized recordings of Zoom webinars and converting them into podcasts. It is believed that the company's method of operations involves scraping the web for public Zoom meetings, joining them, and then recording them using third-party software, rather than Zoom's built-in recording feature. The company then uses AI to generate a podcast from the Zoom webinar. Dozens of reports have surfaced of Zoom meetings, in which the participants believed they were speaking privately, being secretly recorded by the company and broadcast as free podcasts available to anyone. Read more about this bizarre phenomenon at 404 Media.
The Bottom Line: Anyone who is in a Zoom meeting can record the meeting using screen-recording software that Zoom does not control (and the same is true for any video call software). You can protect your Zoom meetings from unexpected guests by setting a password for the meeting, but if any of your guests decides to record the meeting, you can't stop them. Should any of your attendees have a compromised device, then unauthorized third parties may gain access as well. It's important to understand that the larger a Zoom meeting is, the less private it is, even with passwords set and admittance carefully controlled.
US Cyber Defense Bureau Restructures
After breaking up the Bureau of Cyberspace and Digital Policy around a year ago, Secretary of State Marco Rubio is establishing the Bureau of Emerging Threats in anticipation of cyberattacks from Iran. The bureau will consist of five offices that will combat threats to US cyberspace and infrastructure, as well as "disruptive technologies," just like the old Bureau of Cyberspace and Digital Policy did, before they got rid of it. Read more about the revamped Bureau of Emerging Threats at ABC News.
The Bottom Line: We're not sure what exactly the point of restructuring the previous bureau was, but hopefully, these changes will benefit the cyber defense of the US.
Firm Specializing in Protecting You From Data Breaches, Breached
Digital security platform Aura has had a security incident resulting in the compromise of customer data. This is ironic, since the purpose of Aura is to protect its customers from data breaches. Whoops. Read more at SecurityWeek.
The Bottom Line: Those who signed up for Aura's identity and breach protection did nothing wrong. This breach highlights that the more a service knows about you, the more dangerous it is when that service has a breach. For security services, prefer those that do not retain information about their users to begin with.
Everything you need to know about Apple’s latest software updates.
- The most recent iOS and iPadOS is 26.4
- The most recent macOS is 26.4
- The most recent tvOS is 26.4
- The most recent watchOS is 26.4
- The most recent visionOS is 26.4
Read about the latest updates from Apple.
The key is to not click any links in the email, so there are two safe answers: B: Without clicking any links in the email, visit your bank’s website to dispute the charge; or D: Without clicking any links in the email, visit the website for the payment processor to dispute the charge.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Worried about your iPhone getting hacked? Check out:
|
