Three simple steps to secure your devices, based on the stories below.

• Use credit monitoring and consider freezing your credit, AT&T customers especially.
• Use a password manager to employ unique strong passwords that you don’t have to memorize for every account, especially for your home router and Wi-Fi.
• Employ multi-factor authentication wherever possible, but where possible use authentication apps instead of text message verification.

For a complete list of our top security recommendations, view our course: Privacy & Security for Apple Enthusiasts in 2024 , all included in your iPhone Life Insider subscription.

Crowdstrike’s Big Strikeout: How a Security Company Nearly Turned Off the Internet

On Friday, July 19th, flights all around the world were grounded, banks closed, self-checkouts at supermarkets crashed, ATMs failed, and government agencies and major companies had to close their doors while IT workers scrambled to fix entire buildings full of crashed computers. It’s one of the largest cyber outages of all time, and it all happened because just 8.5 million Windows machines, a tiny fraction of the total fleet of Windows machines, all crashed at once. This began a domino effect that rippled through the internet and society, reports Risky.biz.

How did it happen? Crowdstrike is a security company that caters to important corporate clients with critical networks. Their software does what’s called endpoint detection and response, or EDR, which you could think of as a human-managed version of anti-virus scanning that also looks for other kinds of malicious activity. It’s powerful software designed to help security professionals protect important networks. Crowdstrike was well regarded until Friday July 19th, when they took their eye off the ball in possibly the most spectacular fashion in the history of the internet.

Crowdstrike sent out an update to their software that caused every Windows machine running that software to enter an endless cycle of crashing and rebooting. Since Crowdstrike caters to important clients, the 8.5 million machines running their software included some in critical positions. Fixing those crashed computers required manually rebooting into safe mode and removing one file. This meant that 8.5 million machines had to be manually serviced by a technician. That work was mostly completed over the weekend.

An update causing this level of crash is extremely unusual. Many expected and normal update procedures seem to have been skipped by Crowdstrike, such as any testing of the update, or phasing the rollout of the update to go to a small selection of users at a time, either of which would have prevented or mitigated the catastrophe.

The Bottom Line: We salute the thousands of IT workers who heroically sacrificed their weekends to get the world back up and running. While this outage inconvenienced millions of people, the final effects could have been much worse. For the average tech consumer there isn’t anything you need to do, nor is there anything you could have done except, perhaps, enjoy a good book for a day or two while your banks and grocery stores recovered. If you are the sort of person who writes updates to software with kernel privileges, then this is a thorough reminder of the importance of the testing you are no doubt already doing before every single release.

AT&T Admits It Lost Data on 110 Million Customers, Latest in Snowflake Fiasco That Will Never End

The telecommunications giant AT&T will be notifying nearly every one of its 110 million customers that their personal data may have been stolen in a massive security breach, reports Data Breach Today. The affected data includes call and messaging metadata such as who was called, for how long, when, and sometimes which cell towers were used. This sort of data could help scammers identify individual targets including their location, movements, and social networks.

The data was stolen from the data warehousing company Snowflake. As we reported last month, since at least June 10th, hackers have been targeting Snowflake. At least 165 Snowflake customers have had data stolen, including the US events company Ticketmaster, which may have lost data relating to 560 million customers, as reported by Wired; US car part retailer Advance Auto Parts, with 2.3 million customers affected, reported Security Week; and the financial firm Santander, which lost account information for 30 million customers and former employees, reported the BBC.

Yet even though these are breaches of Snowflake accounts, it seems the fault lies not entirely with Snowflake. In most cases, the hackers simply logged into the Snowflake accounts using the correct password, and the vast majority of the compromised accounts were not employing multi-factor authentication, reports Google’s Mandiant division, who are working with Snowflake. The hackers’ real coup was somehow installing infostealer malware on an AT&T employee’s computer, then stealing their password to access AT&T’s Snowflake account. The same likely happened to Ticketmaster, and so many others. On its own, a copy of the password should not grant access to a critical account, because critical accounts should be protected by multiple factors, but in most of these cases, multi-factor authentication was not enabled.

The Bottom Line: Use multi-factor authentication. This entire debacle could have been avoided if that simple step were taken for each of these critical accounts. Since huge amounts of personal data have been compromised, it’s important to remain vigilant against scammers who will come armed with personal information about you. We recommend using credit monitoring services through your bank and considering freezing your credit until next time you need it. Never give personal information to unsolicited callers.

Authy Leaks Millions of Phone Numbers

Authy is a popular multi-factor authentication app similar to Google Authenticator or Microsoft Authenticator. However, a recent hack has left us wondering just how secure Authy is. According to Bleeping Computer, our old friends ShinyHunters (who you may remember from last month’s newsletter as being responsible for the Ticketmaster hack) seem to have taken advantage of an unsecured Application Programming Interface endpoint within the app. ShinyHunters claims to have 33 million phone numbers that it acquired through this vulnerability. Thankfully, the attack only stole account IDs and phone numbers, so your passwords and other important data are safe. An exposed phone number is not, on its own, all that dangerous—phone books still exist, after all—but such large lists of phone numbers can be combined with other information available from data brokers to figure out who to scam and how to approach them.

The Bottom Line: If you use Authy, consider switching to a different authenticator app. Bitwarden and iCloud Keychain both offer secure ways to generate 2FA codes. Additionally, be on the lookout for any suspicious text messages such as those requesting 2FA codes or other personal information like passwords, soliciting political donations, and suggesting you’ve lost a package.

Unreported OpenAI Hack Raises Questions

Last year, OpenAI was breached by a lone hacker, and the company has only now made the incident public. According to the New York Times, a hacker infiltrated OpenAI’s internal messaging system and was able to access “details about the design of the company’s A.I. technologies.” The company made the breach known to its employees in April 2023 but chose not to disclose the incident to the public or law enforcement agencies like the FBI. The company’s executives reasoned that because they believed the hacker acted alone, there was no threat to national security. Additionally, no customer information was stolen, so the executives did not feel the need to inform OpenAI users.

Leopold Aschenbrenner, an OpenAI technical program manager, raised concerns about the company's security, but the company did not agree with his assessment. Aschenbrenner was let go from OpenAI, though company spokeswoman Liz Bourgeois claims his termination was unrelated to his security concerns.

In our opinion, it is quite concerning that such a security breach occurred, and OpenAI chose to keep it under wraps rather than at least inform the FBI. How can one trust the company to disclose future hacks? If anything, OpenAI’s handling of this breach makes me thankful that Apple is working to make Apple Intelligence as private as possible.

The Bottom Line: While OpenAI chose to keep this breach from the public, the breach thankfully did not include any customer information. However, we would still counsel caution about trusting OpenAI, both to keep itself secure and to report future cyberattacks.

If You Own One of These Linksys Routers, Change Your Router Password

Security researchers at Belgian consumer organization Testaankoop have discovered that two Linksys router systems, the Velop 6e Mesh system and the Velop 7 Mesh system, transmit Wi-Fi passwords and network names (SSIDs) in an insecure manner during initial setup, which would permit an attacker to read the password or to make changes, reports TechSpot. If you have set up one of these router systems and then left the password alone ever since, then it would be a good idea to use the Linksys Smart Wi-Fi web portal to change your Wi-Fi password. Using the web portal is secure, but using the app is not.

Your Wi-Fi system has two important passwords, the one for the Wi-Fi (which everybody knows about since you can’t connect without it) and the one to access the router’s administration panel, which is where you would go to change your Wi-Fi name or the password used to connect. In general, it is important to make sure your router’s administration panel has a strong password, and to change that password every now and then. Even if you don’t have a Velop 6e or 7 Mesh router system from Lynksys, you may take this as your periodic reminder to update your router’s admin password.

The Bottom Line: Users of Velop 6e and 7 mesh routers will need their admin password in order to access the admin panel and change their Wi-Fi password. When you change the Wi-Fi password, every device connected to the network will be disconnected, and you’ll have to go around and give each one the new password in order for them to connect again. So, while you’re at it, you might as well change the network name too, for added security. We recommend not using your address or any identifying information in your Wi-Fi network name, since the Wi-Fi network name is visible to everyone who can pick up the signal, and might help prowlers identify who owns a network to make scamming that victim easier.

Kaspersky Banned from Operating in the USA

The security firm Kaspersky, a familiar name in the market for consumer antivirus software, will be banned from operating in the United States, announced the US Commerce Department. Kaspersky is based in Russia, and has long had to navigate the perilous socio-political landscape between Russia, the United States, and European Union. Since Russia’s war of aggression in Ukraine, the US and EU have levied sweeping sanctions against Russia, and those efforts extend into the digital domain where Russia has repeatedly violated international norms by attempting to influence elections and providing safe haven (and sometimes funding) for ransomware gangs and scammers. Kaspersky says that they are a privately managed company with no ties to the Russian government, but the Biden administration claims that Russia under Vladamir Putin has shown a willingness to weaponize Russian companies against their geopolitical adversaries. Antivirus software must run with extra privileges that make it especially dangerous if abused. Kaspersky has announced they will be winding down business in the USA, as reported by Kim Zetter and confirmed to Tech Crunch.

The Bottom Line: If you use Kaspersky, it’s time to switch to a new antivirus provider. We recommend Malwarebytes.

How Secure Is Public Wi-Fi at the Olympics? Spoiler: Not very.

Kaspersky may have been banned from operating in the United States but their researchers still write useful security blogs. In a piece posted to the Kaspersky blog, they detail how they sent a team of researchers to test the public Wi-Fi networks in Paris ahead of the Olympic games and even there, where you’d expect a little extra effort, the picture is bleak. Kasperksy’s team detected 24,766 unique public Wi-Fi access points. Of those, only 1373, or 6%, were secured with the modern WPA3 standard that would make them safe to use. Many used older security standards, but fully 25% used out of date hardware, misconfigurations, and other problems that would make them easily exploitable by scammers and hackers. While Paris has undergone a significant makeover for the Olympics, these statistics indicate that their public Wi-Fi situation is still typical of large cities: a hodgepodge of hotels, coffee shops, and cafes operated by network administrators with widely varying technical skill and commitment to privacy.

The Bottom Line: Avoid public Wi-Fi, even if you are not in Paris for the Olympics. If you have to use public Wi-Fi, you could use a VPN to protect your traffic, but while this may provide some protection, VPNs are not engineered to protect you from malicious actors who share your local network, nor from untrusted networks in general (for more on that, see Leviathan Security’s writeup of TunnelVision). Instead, avoid using public Wi-Fi wherever possible. Instead, rely on your iPhone’s hot-spot to provide an internet connection to your other devices.

Verizon to Pay $16 Million Fine for Failing to Protect TracFone Customer Data

Not as bad as the AT&T breach, but telecom provider Verizon is also on the hook this month for failing to protect user data, reports Bleeping Computer. The Federal Communications Commission reached a settlement with Verizon which, along with the fine, requires them to update their security practices. The settlement is over allegations that TracFone, which is a wholly-owned subsidiary of Verizon, failed to prevent hackers from breaching the company multiple times between 2021 and 2023, stealing data and gaining access that enabled the hackers to perform SIM swapping attacks on an unknown number of customers. SIM swapping is where a scammer tries to take control of your phone number by convincing your phone company to switch the number to a new phone and it can be a lot easier if the scammer has hacked the phone company in question. SIM swapping is especially dangerous because your phone number is used by many companies as proof of your identity: they send a text to that phone number and if you can prove you received the text then they believe that you are who you say you are. This is still the most common form of multi-factor authentication.

The Bottom Line: Banks and other critical service providers should not use phone numbers as a proof of identity, but they often do, and so we’re often stuck with it. If your accounts support other multi-factor authentication options besides text messages, ones such as authenticator apps, then we recommend switching. Your iPhone has a built-in authenticator app. To prevent SIM swapping attacks, use unique strong passwords that you don’t have to memorize by employing a password manager. This will ensure that your account with your phone carrier is protected with a unique strong password as well. Also, every phone company in the United States allows you to add an extra layer of security that will prevent your number being moved to a new device unless you enter a PIN. Here are instructions for AT&T, Verizon, and T-Mobile.

Chrome Backslides on Privacy Promises

Cookies are small files sent to your computer when you visit a web page, usually to record that you’ve logged in to that website, what items are in your shopping cart, or tons of other useful things to help fulfill the website’s function. Cookies are useful, and not automatically bad. Third-party cookies are sent to your computer from someone other than the maker of the webpage you’re visiting, such as through advertisements embedded on the page. These can be used by advertisers and data brokers to track your activity across different websites. Most people view this technique as intrusive and unnecessary, and Safari, Brave, and Firefox web browsers block all third-party cookies by default, Microsoft Edge is in the process of phasing them out, and Google had promised that Chrome would end their use as well. The move to end their use is supported by the World Wide Web Consortium, the main standards body for the Internet. But now, Google has reneged on their promise, and announced that third-party cookies will remain in Chrome.

The Bottom Line: Don’t use Chrome. This is merely the latest in a long series of episodes demonstrating time and time again that Chrome is in the business of learning about you so it can sell the data. Safari, Firefox, Brave, and Duck Duck Go are all private and secure alternatives. Of the lot, Firefox offers the most similar experience and is probably the easiest to adopt. It’s free too, and if you set it up on a Mac or Windows machine, then it will import your Chrome bookmarks as part of the setup process. Safari is already installed on your device.

Next Generation of Apple Operating Systems Are in Beta

Apple has released public betas for the next versions of all its operating systems including iOS 18, iPadOS 18, macOS 15, tvOS 18, watchOS 11, and visionOS 2. These bring a suite of new features and security content, but we usually recommend waiting until the software is officially released before updating. The official releases are expected at the end of August or early September.

These operating systems will introduce the new generative artificial intelligence system called Apple Intelligence. From a privacy & security standpoint, Apple Intelligence appears to be very well-engineered to protect users. Though Apple Intelligence is not yet available in the public betas, Apple has taken the unprecedented (for them) step of making every scrap of the software that their Apple Intelligence servers will run all available for security researchers to vet, test, and verify. This is a remarkable step for Apple, and it really does increase our faith in the integrity of the system they’ve designed.

In addition to Apple Intelligence, iOS 18 and its cousins will also introduce the Passwords app, Apple’s own password manager all nicely bundled into its own app. It even works on Windows! We’re excited. For a full discussion of Apple Intelligence and its security and privacy considerations, look for our upcoming iOS 18 Live Course, which will air in September.

The Bottom Line: For hot takes on the features of iOS 18, see the iPhone Life podcast episode 213: Top iOS 18 Features Coming to Your iPhone This Fall. For how to get the betas (and why you may not want to), see How to Sign Up for the Apple iOS 18 Public Beta Program.

Mac Notification Center Leaves Text Messages Vulnerable

Until MacOS 15, infostealer malware or hackers with remote access to a Mac could find the archive of notifications from the notification center and search through it for useful information such as text message contents including verification codes. MacOS 15 is expected to address this vulnerability, reports 9to5Mac. When notifications are served to the user they may contain sensitive information, in particular the contents of text messages. MacOS 15 beta builds fix this problem by moving the archive of notifications into a group container.

The Bottom Line: This is just one good reason to look forward to MacOS 15.

visionOS 1.2 Improves Creepy Digital Avatars

If you are one of the rare owners of an Apple augmented reality headset, the Vision Pro, then you will benefit from numerous bug fixes and security updates if you install the latest version of visionOS. The security content is mostly the same as what was fixed on iPhones and iPads with iOS 17.5, but includes a few other bugs. New features with 1.2 include improvements to the appearance of Persona digital avatars—which we consider to be a security concern because video calls are one of the few ways to verify an identity and digital avatars subvert this—a few improvements to the virtual keyboard, more reliable connection to Macs via Virtual Display, support for iMessage Contact Key Verification, and more.

The Bottom Line: VisionOS is still in its infancy, and every infant has to learn like crazy. Every VisionOS update is likely to continue to make crucial improvements.

Flight of Security Bugs Fixed with iOS 17.6

The latest security patch for iOS, iPadOS, and most of the rest of Apple’s fleet contain no notable features but instead repair a wide array of vulnerabilities. Among them, ways for private data to be accessed on the lock screen, for apps to crash the iPhone, and more.

The Bottom Line: Grab your updates while they’re hot.

How to Add a Security Key to Facebook

Security keys are physical devices that look like a USB Key, but work like your car key except for online accounts. You can use one to lock your Apple ID, Microsoft account, Google account, and even your Facebook account. When locked with a security key, your account is much more difficult for scammers to access, as they would need the key in order to get in. Scammers stealing access to your facebook account is freakishly commonplace—we’ve all seen it happen to at least a few friends, if not ourselves—but adding this layer of security should completely solve that problem. Just don’t lose your security keys: once they’ve been used to lock an account, you can’t get back in without a key.

Facebook doesn’t make this easy, so I’m going to link you to our article with screenshots instead of copying all the steps here:

• With video and screenshots for Insider subscribers: How to Add a Security Key to Facebook.
• Ad-supported, free: How to Add a Security Key to Facebook.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Donna Schill.