- šļøā Your Security Checklist
- ššļø Test Your Security Skills
- š° Your Weekly Security Update
- š¤Ø This Should Be on Your Radar š”
- š Security Fail of the Week š
- šš± Security Updates from Apple š
If you take nothing else from this newsletter, just do these three things to protect yourself:
- If you havenāt already, enable Face ID on your iPhone. Face ID keeps your iPhone secure and prevents others from being able to unlock your device.
- Switch to an alphanumeric passcode for extra security. An alphanumeric passcode is much more difficult to guess than a four- or six-digit passcode since you can use letters and symbols.
- Disable Face ID if you are ever compelled to unlock your iPhone. If youāre ever in a situation where someone might try to force you to unlock your iPhone with Face ID, you can lock your phone in an instant and disable Face ID.
Whatās the safest way to send a sensitive document? š¤
- Signal
- iCloud share
- Dropbox
- Google Drive
Scroll to the bottom to see how you did!
Luxshare, a tech manufacturer based in China, was hit by a cyberattack last month. Luxshare handles manufacturing for several tech companies, including Apple, Nvidia, and Tesla. That means that any data that was stolen could include confidential information about these companiesā products, like 3D models, component designs, circuit board-manufacturing data, and more. Additionally, employee names, job titles, and email addresses were also exposed. The attackers, a group called RansomHub, have threatened to leak the stolen data if Luxshare does not contact them (and presumably pay a ransom). Read more about this cyberattack at Cybernews.
The Bottom Line: This cyberattack could prove devastating for the companies involved. The stolen data could be used by competitors to manufacture counterfeits or reveal hardware vulnerabilities for hackers. However, weāre hopeful that the stolen data will prove inconsequential and that Apple (as well as the other affected companies) can patch any possible hardware exploits.
ICE Facial Recognition App Incorrectly Identifies Citizen
Mobile Fortify is an app used by Immigration and Customs Enforcement (ICE) to identify whether or not someone is a US citizen. The app works by using facial recognition to determine an individualās identity. The agency believes that the appās facial recognition is so accurate that it should be trusted over a birth certificate. However, last year, a woman in Oregon was arrested by ICE, and the app incorrectly identified her, not once but twice. Mobile Fortify gave two different names when the womanās face was scanned, neither of which was correct, leaving many to wonder just how reliable this app really is. You can read more about Mobile Fortify and this particular incident at 404 Media.
The Bottom Line: Software is not infallible, especially when it comes to facial recognition. Think about how many times youāve gone to unlock your iPhone with Face ID only for that little lock icon to shake and prompt you to enter your passcode instead. If Face ID, which is supposed to be more secure than a password, can fail like that, surely an identification app based on facial recognition can fail just as easily. That means law enforcement could easily arrest law-abiding citizens based on false information if Mobile Fortify incorrectly identifies them as undocumented immigrants.
Data Breach at Grubhub
Grubhub is the latest victim of a data breach. The popular food delivery platform has not offered many details, only confirming that a breach occurred and that no customer financial information was stolen. The company has also said that it is working with a cybersecurity firm to investigate the breach. According to BleepingComputerās sources, the company is likely being extorted by the ShinyHunters hacking group. However, neither Grubhub nor ShinyHunters has commented on the incident.
The Bottom Line: If you are a Grubhub customer, the company will likely divulge more details about the breach and notify you if your data was affected. In the meantime, we recommend updating your Grubhub password and freezing your credit, in case any of the data from the breach could be used to steal your identity.
The Electronic Frontier Foundationās Security Plan
We recently found that the Electronic Frontier Foundation (EFF) has a website dedicated to Surveillance Self-Defense, where you can find a variety of guides on helping you improve your digital security. One of the basics you can start with is setting up a security plan. While this particular guide hasnāt been updated since 2023, the advice and instructions provided are still relevant today.
The Bottom Line: The EFFās security plan is an easy-to-follow, actionable guide that can get you started with improving your personal security. Check it out to make sure youāre protected and prepared.
European Rail System Breached
Eurail, a popular rail system used throughout Europe, was breached recently. The breach included information such as order numbers, customer details, names, and the names of traveling companions. In some cases, passport details, including passport numbers, may have also been exposed. Eurail customers who received a pass through the DiscoverEU program have possibly also had their bank account reference numbers leaked as well. Check out Eurailās statement for more details.
The Bottom Line: If youāre a Eurail customer and your passport was leaked, we would recommend investing in a credit monitoring service to ensure your identity isnāt stolen. Eurail is likely contacting affected customers about this incident as well.
Hacker Steals More Than $200 Million in Cryptocurrency
Cryptocurrency blockchain researcher ZachXBT reported last week that a hacker made off with $282 million in cryptocurrency. The attacker used a social engineering scam to gain access to the victimās cryptowallet. ZachXBT did not go into detail about the attack or its victim. Check out the full story at CoinDesk.
The Bottom Line: Social engineering scams are easy to fall for, since they prey on your willingness to trust another person, even if you donāt know them. However, you should never hand over confidential information, whether itās a crypto address or your bank account number, without knowing exactly who you are giving it to.
Web Traffic Down for Many Publishers Due to AI Summaries
The PressGazette reports new data from Chartbeat showing that referral traffic from Google searches to publishers declined by a third in 2025. The data seems to indicate that the decline is due to the rise in Google AI summaries, which provide quick and easy answers to any search query, negating the need to click through to any websites. That means users are taking Google AI summaries at face value rather than scrolling through search results and visiting a reputable website. While this isnāt necessarily a privacy or security concern, it does affect websites like our own as well as those of other independent publishers and news sites. Websites that rely on regular visitors could be in trouble if this trend continues. Head over to PressGazette for more on the report.
The Bottom Line: This newsletter serves to compile the latest security and privacy news and deliver it to you in a digestible format. It only works because we are able to pull from many different sources. If you want to support publishers like the websites we include each week, you can help by clicking the links in this newsletter. Additionally, when looking at an AI overview, there is usually a link icon at the end of each paragraph, which you can click to find sources for the information provided in the overview. Better yet, you can visit Googleās Support page for AI Overviews to find instructions on how to disable it.
Hackers Can Access Some Wireless Earbuds
Android users who use wireless earbuds may be at risk of a new vulnerability called WhisperPair. In the same way AirPods seamlessly connect to your iPhone and other devices, Googleās Fast Pair devices can quickly connect to Android phones. In addition to Google, Fast Pair audio devices are manufactured by other tech companies like Sony, JBL, OnePlus, and others. The WhisperPair vulnerability allows potential hackers to connect to affected devices without the owner knowing. Once connected, attackers can access the microphone and location-tracking features. Find out more about WhisperPair at Ars Technica or check out the list of vulnerable devices.
The Bottom Line: If you use any Fast Pair devices, you could be vulnerable to WhisperPair, even if you donāt own an Android phone. WhisperPair can be combated by factory resetting your device after it has been compromised. However, it can still be hacked again even after itās been reset. Thankfully, most manufacturers will likely begin pushing out firmware updates to patch this vulnerability, so if you own any of the devices in the list linked above, be sure to install the deviceās companion app, if there is one. Having the companion app will allow you to install updates for your audio devices as soon as they are available.
Hacker Helps Media Corp Patch Vulnerability But Steals Data Anyway
A hacker going by the name of Lovely discovered a serious vulnerability in the cybersecurity of CondĆ© Nast, the media parent company of Wired, Ars Technica, and many others. After many failed attempts to contact the company to inform them of this vulnerability, Lovely reached out to DataBreaches, a website dedicated to reporting the latest hacks and data breaches. With DataBreachesā help, Lovely was able to get in contact with CondĆ© Nast, but not before downloading more than 33 million profiles using the very vulnerability they were trying to warn the company about. It turns out, Lovely had apparently been leaking data from Wired on various forums while claiming they only wanted to warn CondĆ© Nast about the security flaw. You can read the full story at DataBreaches. Itās quite an interesting read.
The Bottom Line: Thereās not a whole lot of practical advice for this story, other than maybe not to trust self-professed hackers or scammers. Even still, itās an interesting story, and DataBreaches no doubt still did CondĆ© Nast a favor by making the company aware of a flaw in its security.
Tennessee Man Hacks the Supreme Court
A 24-year-old named Nicholas Moore allegedly hacked the US Supreme Court over the course of three months. Moore reportedly accessed the Supreme Courtās filing system 25 different times between August and October 2023. The Department of Justice has not made any details public about what Moore did while in the filing system or what data he accessed, but he is expected to plead guilty to computer fraud. As an ordinary citizen, Mooreās hack of the Supreme Court brings into question the countryās cybersecurity. You can read more about the case at TechCrunch.
The Bottom Line: If someone like Moore can break into the countryās highest court, it really makes us wonder what a state-sponsored hacker could be capable of. We hope this incident has encouraged the Supreme Court to start taking its cybersecurity more seriously.
Everything you need to know about Appleās latest software updates.
- The most recent iOS and iPadOS is 26.2
- The most recent macOS is 26.2
- The most recent tvOS is 26.2
- The most recent watchOS is 26.2
- The most recent visionOS is 26.2
Read about the latestĀ updates from Apple.
The correct answer is 2: Signal. Signal is encrypted end-to-end, which means you can be confident that no message can be intercepted or recorded permanently except by the sender and the receiver. The Signal Foundationāa nonprofit that runs the servers used by Signal and maintains the appādoesnāt record metadata about who you contact or when using Signal, unlike WhatsApp. Itās free, super easy to set up, easy to use, and itās the safest way to send messages, including sensitive documents. We have no relationship with Signal; this isnāt an ad. Usually, there is some nuance in a topic like this: some apps are better in some ways, and others are better in other ways. Thatās not the case right now. For the moment, Signal is the best app to use when you want to send secure and private information between private individuals, acting in a private capacity. The EFF published a step-by-step guide for how to use Signal.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byĀ Cullen ThomasĀ andĀ Rhett IntriagoĀ and edited byĀ August Garry.
Interested in securing your iPhone data? Check out:
|
