- 🗒️✅ Your Security Checklist
- 🏆🎖️ Test Your Security Skills
- 📰 Your Weekly Security Update
- 🤨 This Should Be on Your Radar 📡
- 🙈 Security Fail of the Week 👎
- 🍎📱 Security Updates from Apple 🍎
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use a password manager if you are not already. Password managers are the first step to ensuring your digital security. If you're not sure which one you should use, check out our recommended password managers.
- Enable multi/two-factor authentication wherever possible. Multi-factor authentication adds an extra layer of security to your accounts. Here's how to activate 2FA on Gmail.
- Create strong passwords to secure your accounts. The best way to create a strong password is to use your password manager to generate one for you.
What should you do in the following scenario?
When creating a new account, what is the best way to ensure your login is secure? 🤔
- Use a password manager to generate a password.
- Use a passkey instead.
- Use a physical security key.
- All of the above, depending.
Scroll to the bottom to see how you did!
Everywhere you go on the web, every page you visit, you're being tracked and your information sold to advertisers. Webloc is a tool that collects this publicly available advertising data, analyzes it, and sells that information to law enforcement. We've written about Webloc before, and how ICE had been using it to track cellphones in a specific area. According to a new report from The Citizen Lab, governments around the world use Webloc to gather intelligence on their citizens without due process. The report states that Webloc is being used in the US by ICE, the Department of Homeland Security, the military, and various police departments across the country. It is also allegedly being used by Hungary and El Salvador to monitor citizens and suppress opposition. Because governments obtain this information from a private third-party company, they claim not to need warrants—or their international equivalents. We recommend checking out the full write-up at The Citizen Lab. It's quite detailed and contains plenty of sources for each of its claims.
The Bottom Line: Webloc gathers data on its targets by buying advertising profiles created by ad companies. However, you can minimize the amount of data advertisers can gather about you by using tools to protect your privacy, such as ad blockers, VPNs, and private web browsers.
Signal Messages Accessed Through Notifications
We recommend Signal as the messaging app for end-to-end encrypted communications. However, court testimony has revealed that the FBI can retrieve message history from Signal through iPhone notifications. When you receive a message in Signal, the app will show you a notification including the sender's name and a few lines of the message's contents. This notification is stored in a database on your iPhone. The court documents suggest the FBI can access the notifications database with the right tools and physical access to the device. You can read more at 404 Media.
The Bottom Line: While you can turn off Notification Previews in your iPhone settings, the content of notifications will still be stored in the notification database. Instead, you can secure your Signal notifications by tapping your profile icon in the top left of the Signal app, selecting Settings, then Notifications. Under Notification Content, tap Show, and set your notifications to No Name or Content.
End-To-End Encrypted Messaging Coming to Mastodon
Mastodon, a decentralized social network with an emphasis on human moderation, will soon have secure, end-to-end encrypted messaging thanks to a round of investment from the Sovereign Tech Fund—a German organization dedicated to investing in innovative tech. In addition to secure messaging, this investment means Mastodon can make further improvements to its site, allowing it to compete with other social media platforms. Check the Mastodon blog post for more details.
The Bottom Line: The encryption is on a timeline to arrive in 2028. If you’re curious about a social media platform that is fully human-moderated, doesn’t use an algorithm, and doesn’t monetize your behavior, you may consider trying out Mastodon. If you do, you may find Cullen there.
Rockstar Games Hacked by ShinyHunters
Rockstar Games, developer of the video game series Grand Theft Auto, was breached this week. The hacking group ShinyHunters claimed responsibility and threatened to leak the data stolen in the hack if Rockstar did not pay a ransom. The company refused, and ShinyHunters has already begun posting documents online, which largely consist of information and analytics about Rockstar's revenue. The breach at this point appears to be largely inconsequential for Rockstar and its customers. Bleeping Computer has the full story.
The Bottom Line: All we know about how Rockstar was breached is that the hackers used authentication tokens stolen from a third-party company called Snowflake. It is likely that ShinyHunters gained access to Rockstar either by phishing employee credentials or because an employee reused a password. Data breaches happen every day, which is why it is so important to use a password manager and, wherever possible, passkeys. A password manager can create secure passwords for you, while passkeys prevent your account details from being phished since they're tied to the password manager itself.
Data Breach at European Gym Company
Basic-Fit, a European gym company, has been hacked, and around a million customers have had their data stolen. Basic-Fit states that the stolen data includes bank account details, but not passwords or identification documents. You can read more at Reuters.
The Bottom Line: If you were impacted by this breach, Basic-Fit should have notified you by now, and hopefully will have provided steps on what you should do to protect yourself. Since banking details appear to be a part of this breach, we would recommend keeping an eye on your bank accounts. While passwords were not leaked in this breach, it's still important to use unique credentials for every login, so that if your password is ever leaked, you won't have to worry about multiple accounts being compromised.
Popular Travel Site Has Customer Data Stolen
Travel site Booking.com is the third victim of a data breach this week. Hackers stole names, email addresses, phone numbers, and any other information users provided when booking their travel plans. Booking.com claims that it stopped the hack quickly and affected customers have been informed, though the company declined to confirm how many customers were impacted. Head over to SecurityWeek for more.
The Bottom Line: If you've used Booking.com recently, there's a chance your information was stolen in this breach. The company should have already reached out to you about next steps if you were affected.
Tesla Disabling Vehicles That Have Been Illegally Modified
Tesla vehicles come with a feature called Full Self-Driving (Supervised), which, as the name implies, allows the car to drive autonomously, albeit with the driver’s supervision. By default, this feature is locked when you purchase the vehicle, and it costs $99 a month to unlock it. But hackers were able to find a way to essentially jailbreak their Teslas and unlock the car's self-driving capabilities without paying for the subscription. They then distributed the hack, allowing anyone to jailbreak their Tesla. Tesla has begun disabling vehicles that used this illegal modification. Autoevolution has more details.
The Bottom Line: We recommend against jailbreaking any device, outside of specific cases such as preserving a device that is at the end of its life. To jailbreak a device, whether it is your iPhone or your car, you must exploit security vulnerabilities, which means removing certain safeguards. Jailbreaking devices can make them vulnerable to attack, and making your car, of all things, more susceptible to cyber attack is not a good idea.
AI Social Media Company Hacked
Doublespeed is a company that operates phone farms (buildings full of phones used to simulate social media users), spewing AI-generated content onto social media to promote other brands. The business is funded by a16z, a venture capital firm. A hacker decided they had had enough of Doublespeed and breached the company's backend and set up Doublespeed customers’ accounts to flood social media with a meme calling a16z the Antichrist. Luckily for Doublespeed, the company discovered the hack before the meme could be posted to any customer accounts. Check out the full story (and the meme itself) over at 404 Media.
The Bottom Line: AI-generated photos and videos are all over social media, and companies like Doublespeed make it difficult for us to separate fact from fiction. While posting this meme wouldn't have stopped Doublespeed, the best we can do to combat AI-generated content is learn to identify it, especially when it comes to photos and videos. The skill of identifying AI-generated content has quickly become an important survival skill for anyone who spends much time on the internet. Check out our guide on how to identify AI content.
Attackers Could Eavesdrop Using Fiber-Optic Cables
Academic researchers in Hong Kong have discovered that the fiber-optic cables that carry high-speed internet can essentially be transformed into microphones to listen in on private conversations. Because optical fibers are sensitive to acoustic vibrations, with the right tools, one could potentially eavesdrop using the fiber-optic cables that many use for home internet. Check out the paper over at the Internet Society.
The Bottom Line: Despite this paper demonstrating that it is possible to eavesdrop using fiber-optic cables, it is not the most practical solution for attackers, since it requires physical access to the cables that connect to your home, as well as highly specialized hardware. This kind of spying is still a few years out. You don't have to worry about hackers using your internet cables to listen in on your private conversations…. But it’s a cool idea.
Crypto Scam Costs Singer His Life Savings
A singer going by the name G. Love has lost his entire life savings after falling for a cryptocurrency scam. G. Love had spent the last ten years investing his retirement funds in Bitcoin. He had saved up 5.9 Bitcoin, which is currently worth more than $400,000 USD. While setting up his new Mac, the musician downloaded an app from the Mac App Store to manage his Bitcoin wallet. He believed the app he was downloading was the Ledger app, a legitimate app that many Bitcoin users rely on. However, the app he downloaded was not the real Ledger app, and upon entering the seed phrase (i.e., password) for his crypto wallet, something the real Ledger app does not request, his entire account was emptied. It’s notable that he got the malicious app from Apple’s App Store—usually a trustworthy source. Head over to The Street for more on the story.
The Bottom Line: Cryptocurrency scams are extremely profitable, since once the money is lost, it is nearly impossible to get it back. Although the App Store is closely monitored, Apple does not have a spotless record, and one must be on the lookout for look-alike apps even on Apple’s App Store. Macs are not immune to infostealer malware like this. Always be sure the apps you are downloading are legitimate and reliable by checking the publisher, reviews, apps from the same publisher, etc.
- The most recent iOS and iPadOS is 26.4.1
- The most recent macOS is 26.4.1
- The most recent tvOS is 26.4
- The most recent watchOS is 26.4
- The most recent visionOS is 26.4
Read about the latest updates from Apple.
The correct answer is D. All of the above. A physical security key is the most secure option, since logging in would require physical access to your key, something that's not easy to hack. Passkeys are the next best option, since they’re tied to your password manager, which means the only way to log into your account would be through the password manager. If the account you are creating the password for does not support security keys or passkeys, then you should use your password manager to generate a random, secure password.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Interested in alternatives to passwords? Check out:
|
