Three things you should do right now that aren’t part of your regular privacy & security hygiene routine. Read on to see why you should:

• Check to see if you were exposed in the A&T breach.
• Change your Roku password and check your Roku account purchases.
• Check to see if you got an email from Apple support.

For a complete list of our top security recommendations, view our course: Privacy & Security for Apple Enthusiasts in 2024 , all included in your iPhone Life Insider subscription.

No New Updates Since iOS 17.4.1 and MacOS 14.4.1

Quiet month on the update front, but no news is good news.

The Bottom Line: As always, it’s a good idea to update your devices to the latest operating system version.

AT&T Notifies Users of Data Breach

Telecommunications giant AT&T has finally notified about 7 million of its current subscribers and 65 million former subscribers that their data may have been exposed in a breach. It may include customer passcodes, social security numbers, email addresses, phone numbers, and birth dates, but does not include any financial information.

The breach itself probably occurred somewhere around 2019, based on the data it contains. At that time, Malwarebytes reports that a hacker going by the name of Shiney Hunters claimed to have hacked AT&T, but the company denied it. Starting in 2021, security researchers began noticing evidence of a large data set available to hackers which contained information on AT&T’s customers, but the company remained mute. In 2022, security research team Hold Security intercepted another chunk of AT&T’s user data being sold on the dark web, which seemed to have been stolen around late 2018. The company continued to deny it, saying it didn’t come from their systems, but probably from one of their contractors. Finally, in mid-March 2024, the latest data dump appeared that closely resembled the previous sets. This time AT&T has acknowledged the data is on 7.6 million current subscribers of AT&T and more than 65 million former subscribers. AT&T still denies that they had a breach: they continue to claim that the data was lost by one of their contractors, though they’ve never said which one.

The Bottom Line: If you or someone you know was a customer of AT&T any time in the past two decades, you should go to your AT&T portal and change your password. AT&T may have forced a password reset. You should also change the password for any other accounts that use the same credentials. It would be a good idea to invest in credit monitoring or to freeze your credit. Malwarebytes has a free tool to check if you are exposed in the AT&T data breach.

About 3 Million Hotel Keycard Locks Aren’t Safe

Hotel room door locks made by the company Saflok have a vulnerability, discovered at the company’s request by a team of security researchers, that makes it easy to forge a working keycard. Exploiting the vulnerability requires access to a keycard from the hotel or housing unit, from which a set of cards can be forged that are capable of opening any door in the same hotel. Other devices with NFC capability can substitute for the forged card, so affected Saflok locks could be opened with any Android phone with NFC capability or by devices like the Flipper Zero. The hacker simply needs knowledge of the exploit and an example card, such as one from a room they rent. Affected models of Saflok have been on the market since 1988, so even though the researchers are not aware of any examples of the exploit in use by criminals, it’s still possible and even likely that it has been used.

The researchers who discovered this vulnerability have dubbed it unsafelok and published a website to educate the public about the dangers of it, however they have not published how this attack is accomplished. While a fix is available, it requires that hotels update each lock individually, replace some locks, and upgrade the hotel’s keycard creation system. This is expected to be implemented very slowly across the 3 million affected locks.

The Bottom Line: If you find yourself staying in a hotel with a Saflok door system (pictures on the researcher’s website), make sure to employ the chain or slide bar internal lock. The deadbolt isn’t enough: it’s also controlled by the keycard. Of course, hotel keys have never been a foolproof system—any number of service staff can unlock them—so it’s usually best to assume your hotel room isn’t a secure place to store valuables when you’re not around.

A Look at Atomic Stealer

In the past four months we’ve posted several headlines about malware targeting MacOS along with new things to look out for, but behind most of these stories is a single program: Atomic Stealer. This popular malware is constantly evolving, and criminals keep engineering new ways to smuggle it onto your computer, so I thought it was worth taking a moment to understand what it does once it’s there.

Jamf Labs (full disclosure, a one-time sponsor of iPhone Life) has done an interesting writeup of how Atomic Stealer works. One useful detail is how it will simply ask the user for permission to access their keychain and credentials. When you install or update an app, you’re used to seeing a system pop-up asking you to enter your admin password to allow the app to install. Atomic Stealer will impersonate that system pop up. So when it asks for your password you don’t think twice. Once it’s got your password it unlocks your keychain and steals all the rest of your passwords, your session cookies from your browser, and anything that looks like it could be related to cryptocurrency. Using a third party password manager with a different password from your Apple ID would mitigate this risk, since even if you give away your Mac’s admin password, that would not unlock your password vault.

Atomic Stealer has been smuggled onto Mac computers in a variety of ways, including through paid ads on Google for popular free software. When you google something familiar like Arc Browser (where Jampf found it) or Slack (as reported by Malwarebytes) and click the top (paid) link, you may not get the Arc Browser or Slack website but instead a criminal imposter that will serve you a copy of the program that has Atomic Stealer stuffed into its code like angry Greeks inside a wooden horse. When you go to install, you’re already expecting that system popup to ask for your password. It’s also been distributed as fake browser updates, where a malicious website will warn that to view a page you must update your browser. Download this “update” and surprise! It’s Atomic Stealer again. Way back in January, it was found in torrent and video game pirating websites by SentinelOne, where it was likely hiding inside free games and cheating software. One reason it appears in so many places is Atomic Stealer is developed by an active team that rents the software out to other criminals, a sort of white-box crime tool available at the low price for $3,000/month, according to Malwarebytes.

The Bottom Line: Be wary of paid links at the tops of Google searches. These have lately been used by scammers. Always double check the web address and domain of the website you’re on to be certain that it’s correct before you download anything! You can add extra depth to your defenses by keeping your passwords in a third party password manager secured with a different password than you use on your Apple devices, as well as with a FIDO2 WebAuthn hardware key.

Apple Notifies Users in 91 Countries that Their Devices Are Targeted by Mercenary Spyware

iPhone owners scattered through 91 different countries received an email from Apple warning them that their devices were the target of “mercenary spyware,” with some individuals warned for a second time that they have been the targets of ongoing spy efforts by state actors, reports Reuters. In the past when Apple notified users of similar threats they’ve used the term “state-backed attackers” but this time they switched up their language to refer instead to mercenary spyware. In either case this is an allusion to the brand of top-shelf spyware, such as Pegasus or Predator, developed in the private sector and licensed to governments to use against their enemies. Because of the complexity of this sort of software and the associated maintenance costs, it’s typically only used against specific targets of interest, not the general public. That said, individuals may not know that they are considered high value targets by some government agency, especially if it’s a foreign government. For example, if you are related to someone with security clearance, or friends with someone who does activism work, then your device could be targeted in a long term plan to try to gain access to your friend or coworker.

Spyware of this tier is typically very powerful, capable of tracking the phone’s location, reading text messages, extracting Face ID data, reading passwords, and even sometimes of installing on iPhones without their owners having to do anything (so-called zero-click exploits). The specific features often change or evolve due to Apple’s efforts to fix the vulnerabilities in iPhones that make each feature possible.

How to identify an official warning from Apple:

• The warning is delivered as an email to the address used in the device’s Apple ID
• The email is from an official Apple support email address
• The email does not contain any download links, only the warning.

Apple will never send you a pop-up warning about malware (especially not in a web browser), nor offer to scan your device, nor try to install anti-malware scanning apps. If you see these kinds of behaviors, you’re probably on a malicious website. If an email contains a download link and claims to be from Apple warning about malware, then it is probably a scam, not a real Apple email.

The Bottom Line: If you have received an email from Apple support warning that you are the target of mercenary spyware, then you should take that matter very seriously, set your iPhone to Lockdown Mode, and proceed to lock down all of your accounts with the most secure possible settings. If you think you received an official mercenary spyware email from Apple, we’d like to see it! You can forward to security@iphonelife.com.

Half a Million Roku Devices Hacked

Roku is an operating system used by many smart TVs and streaming media players. It lets users control the smart device to select streaming services, and it harvests a fair amount of user data for advertising profiles. Hackers have been taking over Roku accounts using the old-fashioned technique of trying out passwords stolen from other services. Some 15,000 Roku accounts were breached this way in March and another 576,000 in a separate hack in April, reports Variety. These accounts didn’t contain credit card information, but control of the account does permit the hacker to make purchases of streaming services and Roku devices.

In response, Roku has forced multi-factor authentication for all its accounts, including those that were not affected by the breach. They also updated their terms of service to change how claims against them by customers are arbitrated. Notice of this change was served in a way that forced users to accept the updated terms or they could not continue using their Roku device. Not a great look, Roku.

The Bottom Line: If you own a Roku device, it’s worth changing your password for your Roku account and for any other accounts that use the same password. You may also want to keep an eye on your bank statements for unexpected Roku device purchases.

Google Forced to Delete Data Collected from Chrome ‘Private Browsing’ Sessions

Turns out Incognito mode isn’t so incognito after all. A lawsuit filed in 2020 alleges that Google failed to provide the privacy it guaranteed through Chrome’s Incognito mode. Instead, Google continued to track and collect data on users even when Incognito claimed to keep their browsing sessions private, reports Thomas Claburn at the Register. While Google initially tried to have this lawsuit dismissed, it eventually agreed to settle. According to the settlement, Google still collected “communications, including identifying information and online browsing history” whenever users of Chrome, Safari, Edge, and Internet Explorer who were not logged into their Google accounts visited non-Google websites containing Google tracking or advertising code. The settlement also requires that Google “delete and/or remediate billions of data records” that it had collected since 2016. While it is extremely concerning that Google was even collecting this data in the first place, it is reassuring that the company is forced to delete it. However, one wonders how many other organizations, like Google, are tracking and collecting data even when using private browsers.

The Bottom Line: It is important to keep in mind that Incognito and Private Browsing modes are great for keeping your activity private from others who might share your phone or computer, but they do not make you completely anonymous on the web. Your traffic is still visible to your internet service provider, and, as we’ve now seen from Google, identifying information may still be collected by third parties. Using a privacy-focused browser such as Safari, Firefox, Brave, or Duck Duck Go, can improve your anonymity, but for sensitive tasks consider temporarily enabling a trustworthy consumer VPN such as NordVPN.

Personal Information Removal Services: Duck Duck Go Privacy Pro Joins Mozilla Monitor

Data broker websites may list all kinds of information about you, from public information about your real estate purchases to private information like lists of known associates and interests based on your advertising profiles and device location history. Scammers use these services to help them engineer scams against you. Last month, I mentioned that you could try Mozilla Monitor’s paid service to get some of your personal information removed from these data broker websites but that I hadn’t tried it myself. Now Duck Duck Go is launching a competing service called Privacy Pro, which includes a VPN.

After a month of using Mozilla Monitor I’m a little less than thrilled with it—as of this writing my dashboard at monitor.mozilla.org just says “all fixed here” with a thumbs up picture, but if I click on “see what’s fixed” it still lists 258 data broker sites as “in process” meaning they’ve been asked to take down my info, but haven’t yet. That doesn’t qualify as “fixed” to me. Of the 226 data broker websites that Mozilla Monitor claimed to have finished fixing, I found that at least 2 still had information about me listed. But this is more or less what I expected: they’re going around to 500+ shady websites on your behalf and asking them all very nicely to please take your data down. There’s currently no mechanism by which these takedown requests could be enforced.

The Bottom Line: We’ll test out Duck Duck Go’s service for the next month and let you know how it stacks up. I’m expecting similar results but hoping that they’ll offer a more transparent interface and explanation. In the meantime, if you’ve tried out Mozilla Monitor or a similar service, let us know how it worked for you by emailing security@iphonelife.com (or replying to this email). You can always take the manual approach with Yael Growler’s Big Data Broker Opt Out List.

China Forces Apple to Evict Secure Messaging Apps from the Chinese App Store

China has ordered Apple to remove a group of popular social media and messaging apps from its app store, including Meta’s Threads and WhatsApp, as well as the encrypted messaging services Signal and Telegram, reports reports the Wall Street Journal. Apple complied. This reduces the number of ways that Chinese citizens can communicate with foreigners. Signal and Telegram are particularly popular with activists and other privacy-conscious users, and the preferred way for whistleblowers to contact reporters.

The Bottom Line: If you are traveling to China, you will still be able to keep whatever apps are currently installed on your iPhone. However, the Chinese version of the iOS App Store will not feature these apps. If you need to securely communicate with people in China, iMessages may be your best bet, though make sure that both parties are using iPhones with good connections, and both parties have either turned off iMessages backup in iCloud or else enabled the Advanced Data Protection for iCloud feature that will encrypt the iCloud backups of iMessages.

European Commission Rules that iPads Must Offer Third Party App Stores in the EU

It’s not just iPhones that will be getting access to third party app stores in the EU. The European Commission has ruled that Apple’s ownership of the iPadOS platform qualifies it as a gatekeeper, controlling access to a crucial marketplace for businesses to reach their customers. Under the Digital Markets Act, this ruling places strict obligations on Apple to serve, in theory, as a more neutral arbiter of their marketplace, including the requirement to permit third party app stores and in-app purchases. This same ruling was applied to iPhones in September of 2023, though iPhone users based in the EU are only now seeing the rollout of their first third party app stores.

The Bottom Line: As with iPhones and also with Macs, we still recommend only installing apps directly from the Apple app store. Even there, Apple’s app review process is not foolproof. There is no substitute for your own informed discretion.

How to Use iCloud Private Relay

iCloud Private Relay comes with any paid iCloud subscription and anonymizes your browsing activity in the Safari web browser (not other web browsers), helping to prevent websites from tracking you and collecting your data. It’s fairly stable and safe to use—I’ve never had any problems—however it’s possible that some websites may not function properly when you use an anonymizing tool like iCloud Private Relay. If you are having trouble conducting important business on the internet while using Private Relay, you may need to temporarily disable it.

To turn on this feature, navigate to Settings > Apple ID > iCloud > Private Relay and toggle on Private Relay

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter is written by me, Cullen Thomas, with contributions from Rhett Intriago, edited by Donna Schill.