• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, just do these three things to protect yourself:

1. Use passkeys wherever possible. Passkeys are a passwordless login option that use encrypted keys unique to your password manager.
2. Do not respond to texts about missing packages. A common scam tactic is to text you about an undeliverable USPS package, an unpaid toll, or a too-good-to-be-true job offer.
3. If you encounter a web page informing you of a virus, close the tab. Your iPhone cannot be infected with viruses from a web browser, and any pop-ups you see telling you otherwise are phishing scams.

What should you do in the following scenario?

You received a gift for the holidays: a digital photo frame that must be connected to your Wi-Fi in order to upload photos. How should you protect your network from this device? 🤔 

1. Wipe its operating system and install something more secure.
2. Connect it to a guest network only while adding photos, then disable its Wi-Fi and leave it disconnected.
3. Connect it to a guest network.
4. Take it to an e-waste recycling center.
5. Something else (email us your answer).

Scroll to the bottom to see how you did!

A fascinating new malware is spreading across home networks. It’s called Kimwolf, and it turns your home into a node in a criminal network, stealing your bandwidth to use for crimes such as piracy, DDoS campaigns, and to obfuscate other criminal activities. Kimwolf is interesting for two reasons: its explosive growth—it now infects more than two million devices—and the mechanisms by which it propagates across networks.  Major retailers are selling devices that come with the malware preinstalled. These devices are “free TV” boxes, advertised as a way to access paid streaming services without a subscription, and they’ve been available from Amazon and other major retailers. They come with malware called a residential proxy, software that turns your network into a hub that allows other people to pretend to be using the internet from your home. Kimwolf detects residential proxy malware and piggybacks on it to access the rest of the devices on your local network, searching for vulnerabilities to exploit. In particular, it’s been successful at targeting digital photo frames, inspiring today’s test-your-security-skills question. Krebs on Security has the full story.

The Bottom Line: Major retailers have begun purging their stock of these grey-market devices, which were probably illegal anyway. If you own an Android-based device advertised as providing free access to paid streaming apps, consider destroying it.

LinkedIn Job Scams on the Rise

LinkedIn is a breeding ground for job scams, and with many desperate for work, it’s easy to fall victim to false promises of employment. Job scams can come in many forms, such as a recruiter asking for your login credentials, offering to expedite the application process for a fee, or charging for mentorship services. Thankfully, LinkedIn is taking action against scammers. According to the company’s transparency report, from July to December 2024, more than 80 million fake accounts were removed at registration, with another 19 million taken down before anyone had reported the accounts. Still, this hasn’t been enough to stop scammers from stealing thousands of dollars from unsuspecting victims. You can read more about the rise of LinkedIn job scams at Rest of World.

The Bottom Line: When job hunting on LinkedIn, be wary of scammers. A real job offer will never ask for your login or banking details, and won’t ask you to make any sort of payment to get the job. If possible, a video call is the best way to verify that a recruiter you are communicating with online is a real person.

Sanctions Lifted for Individuals Linked to Spyware Maker

In September 2024, three people were sanctioned due to their executive connections to the spyware-maker Intellexa. Intellexa is best known for a spyware tool called Predator, which is primarily used by governments to access civilian devices. Predator is capable of capturing all activity on a device, as well as accessing the camera and microphone. The three executives who were sanctioned worked for Intellexa in varying capacities, including managerial and financial duties. This past December, the US Treasury Department removed the sanctions placed on the executives, claiming that all three are no longer affiliated with the company. You can read more at The Record.

The Bottom Line: Sanctions against spyware companies and executives have the effect of chilling the production and proliferation of mercenary spyware targeting phones. Lifting these sanctions, for whatever reason, is likely to reverse this chilling effect. You can protect your iPhone from this kind of elite mercenary spyware by putting it in Lockdown Mode (Settings > Privacy & Security > Lockdown Mode), but doing so is not recommended unless you are a likely target for espionage.

Amazon Stops Russian Hack on Its Web Services

Late last year, Amazon’s Threat Intelligence team became aware of an attack by Russian state hackers on its Web Services. The attack had been ongoing since at least 2021 and had been using vulnerabilities in various commercial software platforms such as WatchGuard, Confluence, and Veeam. Last year, the hackers began targeting misconfigured devices on enterprise networks. Once Amazon discovered the attack, it took action to disrupt the hackers and shared its findings with customers who were affected by the attack. You can read more at Bleeping Computer or check out the Amazon Threat Intelligence report.

The Bottom Line: Unless you are an enterprise customer using Amazon Web Services to host your website, this breach likely does not affect you. If it does affect you, Amazon has likely already reached out to you.

Scam Communities Thriving on Telegram

Black markets have become a serious problem on social platform Telegram. Similarly to Signal, Telegram offers private, end-to-end encrypted messaging along with many other social features. The privacy and lack of moderation that Telegram offers have allowed scammers and human traffickers to build massive black markets on the platform. Romance scams, in which scammers convince victims to send them money by faking a romantic relationship, are the most profitable. Telegram scam communities have also begun selling an AI face-swapping app called Haotian, which allows scammers to replace their faces with those of celebrities or other notable figures in real-time while on a video call. Haotian works with WhatsApp, Line, Telegram, Facebook, Viber, Zoom, and WeChat, which means verifying another person’s identity over video call may not work as well as it once did.

The Bottom Line: If you use Telegram, avoid responding to unsolicited messages, as you could be the target of a romance scam. When verifying identities with a video call, proceed with caution and use FaceTime if possible. The security offered by Apple’s video calling platform may prevent scammers from using face-swapping apps. And remember that if something seems too good to be true, it probably isn’t.

2025 USA Policy Year in Review from Brian Krebs

Legendary infosec reporter Brian Krebs wrote up a year-in-review article enumerating the vast array of policy changes made by the Trump Administration in the field of cybersecurity. The Trump administration has been extraordinarily energetic in this field. 

The Bottom Line: Few can speak with greater authority on how these policy changes are likely to affect our cybersecurity than Brian Krebs, so we won’t paraphrase him. If policy interests you, check out his article.

PornHub User Account Data Exposed in Breach

Back in November, analytics vendor Mixpanel was breached by the hacking group ShinyHunters. This breach affected some customers of OpenAI as well as users of the adult video website PornHub. OpenAI customer data appears to be safe, though PornHub Premium users have had their search and viewing history exposed. Now, ShinyHunters is threatening to publish the data unless PornHub pays a ransom. However, the adult content provider has not worked with Mixpanel since 2021, so the stolen data may be outdated. You can read more about the breach at Bleeping Computer.

The Bottom Line: If you are concerned about how your data on a particular website could be connected to you, it may be best to not make an account for that website. Data breaches are far too common for that type of risk. Still, we sympathize with anyone who might be affected by this breach. That type of data, if exposed, could be life-altering.

Live in California? Protect Yourself Against Data Brokers

Data brokers are an unfortunate reality in today’s day and age. Our data is for sale to the highest bidder, and the only thing we can really do about it is use services like DuckDuckGo’s Privacy Pro or Incogni to request the removal of our data. However, for residents of California, the state has created a tool called the Delete Requests and Opt-Out Platform (DROP). If you live in California, you can use DROP to request that your data be deleted from all current and future data brokers that are registered within the state, all at no extra cost to you. Brokers will begin processing data removal requests this August and have 90 days to complete the process. Read more at TechCrunch.

The Bottom Line: If you’re a California resident, we definitely recommend using DROP. While this process can’t remove all your data, since some of it is likely considered public record, it will require data brokers to delete most of it. We hope to see this type of platform rolled out to other states and countries in the future.

White Supremacist Dating Site Breached, Data Posted Online

Even white supremacists get lonely. A dating website called WhiteDate, which only allowed white people to sign up, was breached along with two associated sites, WhiteChild and WhiteDeal. A security researcher/hacktivist using the moniker Martha Root infiltrated these sites, stole more than 8,000 users’ data, and then deleted all three sites along with their backups live on stage at a hacker conference (while dressed as the Pink Power Ranger, to conceal her identity). Martha Root has since published the leaked data on a website she named OkStupid.lol. Check out the full story, and watch the video of Root’s presentation, at HackRead.

The Bottom Line: Cybersecurity is tough to get right, and anyone signing up for dubious websites shouldn’t be surprised if their data gets leaked. We don’t endorse doxxing, of course, but it’s hard to feel sympathy for people who find other humans so repulsive that they need to sign up for a service that will only match them with others of the same phenotype. Most of the more personal and exposing information doxxed by Martha Root was found in the metadata of images uploaded by the website’s users, so one practical security tip is to be aware that images record where they were taken, and that data can be easily accessed. You can remove the metadata from images before you share them on iPhone by selecting the photo, tapping Share, then tapping Options. In the options menu, toggle off Location and do not select All Photos Data before tapping the blue checkmark to confirm. Then, you can send the photo without metadata.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 26.2
• The most recent macOS is 26.2
• The most recent tvOS is 26.2
• The most recent watchOS is 26.2
• The most recent visionOS is 26.2

Read about the latest updates from Apple.

We think the best answer is probably 2: Connect it to a guest network only while adding photos, then disable its Wi-Fi and leave it disconnected. This exposes you to a minimal amount of risk, and keeping the device disconnected should prevent future hijinks. 1: Wipe its operating system and install something more secure isn’t practical for most picture frames, even for users with a high degree of computer skill. 3: Connect it to a guest network is good, but these cheap devices often have exploitable security flaws that may not be surfaced for months or years, so there’s no good reason to leave it on the network after the images have been loaded.

There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.

Interested in using your iPhone’s password manager? Check out:

• Apple Passwords: How to Use the New App
• How to Make a Strong Password & Things to Avoid