• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🙈 Security Fail of the Week 👎
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, do these three things to protect yourself:

1. Do not interact with pop-ups warning you that your iPhone has a virus. These virus warning pop-ups are fake and will attempt to steal your information if you click them.
2. Lock your private notes with a unique password. Locking your notes prevents anyone other than yourself from accessing them. However, this should not be used as a substitute for a password manager.
3. Use a password manager to keep your passwords secure. A password manager, like the Apple Passwords app, remembers your passwords so you don’t have to.

In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.

What should you do in the following scenario?

🤔 Your email address appears in a data breach, and haveibeenpwned.com says “Oh no — pwned!”

1. Close that email account.
2. Change the password for that email account.
3. Change the password for that email account, and make sure that you’re using a strong multi-factor authentication method there, such as a passkey or a hardware key.
4. Change the password for that email account, stop using that email account and switch to a new one.

Scroll to the bottom to see how you did!

Cybersecurity firm Kaspersky released a report last week in which it claims that over 7 million streaming service accounts were breached last year. These accounts include Netflix, Disney+, Amazon Prime Video, Apple TV+, and Max. It appears that users in Brazil, Mexico, and India are most affected by this breach, though other countries like Great Britain, Germany, Canada, and Japan were also included. Kaspersky believes cybercriminals were able to obtain login credentials to these streaming services through unofficial downloads, such as browser extensions and compromised apps.

Thankfully, there’s not too much that cybercriminals can do with streaming account login information, since these sites do not show payment info even if you are logged in. All of the affected services also offer two-factor authentication, so a password won’t be enough to access the account anyway (assuming the affected users have 2FA enabled). However, anyone who uses the same password across multiple accounts is in danger of having those other accounts compromised too.

The Bottom Line: You should be using a password manager to create and save strong, unique passwords for every account. This will prevent all of your accounts from being compromised if only one password is discovered. Additionally, we strongly recommend enabling two-factor authentication for any account that allows it. Lastly, avoid installing browser extensions, especially shady ones from unfamiliar developers. Only use the official app for a service, never a third-party alternative. For example, for Netflix, use the Netflix app, not any other app advertising access to Netflix.

Related: Best Password Manager for Your iPhone

Your Social Security Number May Be in This Data Broker’s Security Breach

Data broker Lexus Nexus has announced that the personal data of some 364,000 people may have been affected by a security incident with an unknown party. The data includes home addresses, social security numbers, and more. TechCrunch has the full story.

The Bottom Line: So far, there is no way to know if your data is exposed in this breach. That said, the digital hygiene steps outlined in our security course include using a privacy-preserving web browser, a VPN, and a data takedown service can help reduce your exposure to breaches like this. In the US, we badly need a general consumer privacy law to help police data brokers.

Phantom Database of Stolen Passwords Appears, Then Disappears

Like a ghost ship sighting, security researcher Jeremiah Fowler spotted an unsecured database on the internet containing 184 million records of passwords, as well as the email address or username and the account or service it would unlock. The credentials seemed to belong to accounts across Apple, Google, Microsoft, and lots of other services, and Fowler sent emails to a few of the addresses and got a few genuine responses, proving they were active. However, before he could research further, the database vanished. Wired has the full story.

The Bottom Line: Always use multi-factor authentication for your online accounts. As with the story above, there is no way to know if your passwords or accounts were in this database. However, if you use multi-factor authentication, then your accounts should be safe. Databases like this, which contain usernames and passwords, are fairly common on the black market, but the combination of a username and password will not get access to your account if it is secured by strong multi-factor authentication, such as a passkey or hardware key.

Scammers Use GenAI to Lure Victims into Downloading Malware, Warns Google

We reported two weeks ago about the danger of fake GenAI services that offer to turn a photo into a video, but instead of a video, they send you malware. Now Google’s Threat Intelligence blog has written up the scam.

The Bottom Line: Continue to be cautious about files you download from the internet. Always check the file type to make sure the file is of the type you intended to download. For example, if you intend to download a video, then file types that end with .mov or .avi would be expected. Be especially wary of files with multiple file type extensions. It’s always a good idea to do a little research into a new website or service to make sure it’s legitimate.

Can GenAI Personas Fool the Government?

According to a Wall Street Journal investigation, someone seems to be trying to use a GenAI persona to impersonate the White House Chief of Staff, Susie Wiles, in text messages and other communications sent to a swath of leaders in the US, including senators, governors, and business bigwigs.

The Bottom Line: GenAI systems can analyze sample recordings of someone’s voice and generate new audio sounding just like them, saying anything the creator likes. Since audio samples of important public figures are widely available online, an audio voicemail would be extremely easy to fake. To combat this, consider establishing lines of expected communication and distrusting messages that come from outside those lines. Always insist on in-person or video meetings to verify identities. Use Apple’s contact key verification where possible, or the equivalent feature on Signal.

EU Developing Digital Age Verification Tool

Last week, we reported that Texas would soon be passing a bill that would require the App Store and Google Play Store to verify the ages of users before allowing them to download apps. Well, now the European Union has announced it is working on a tool that will allow users to verify their ages through the government rather than through Apple or Google. The privacy-focused solution is designed to work with the EU Digital Identity Wallet so that users can easily access age-restricted sites and apps without having to turn their ID over to third parties.

The Bottom Line: A government-issued app seems like the ideal solution to the age verification dilemma that’s becoming a bigger issue every day. Although that depends entirely on how much one trusts their government to develop a secure and private app in the first place.

Mozilla Firefox Extension Store Will Scan for Crypto-Stealing Extensions

Web browsers, including Chrome and Firefox, offer expanded features through their extension stores. Browser extensions are tiny programs that add on to the features of your web browser with things like an ad-blocker or a new color palette for your browsing tabs. We have long warned about the dangers of web browser extensions because any browsing extension capable of doing anything worthwhile will likely need to be able to see everything you do on the internet in order to function. But another danger of browser extensions is cryptocurrency theft. Many cryptocurrencies are stored in browser extensions. So, thieves have developed innocuous-looking browser extensions that, when installed, will scan to see what other extensions are already installed; and if any hold crypto, they steal it. Mozilla is now adding a capability to its browser extension store to scan new extensions for this malicious capability.

The Bottom Line: In general, we still recommend avoiding browser extensions except for your password manager and ad blocker. If you must store some cryptocurrency, we recommend using a dedicated hardware wallet.

US Sanctions Network Cloud Services Used by Pig Butchering Scammers

The scamming industry has few darker topics than pig butchering, which accounts for billions of dollars in theft each year. The scammers develop relationships of trust with their intended victims over weeks or years, and then eventually invite the victim to invest in a cryptocurrency. They allow the victim to withdraw funds from their fraudulent investment account at first, to prove that it is real, and then pressure the victim to invest more heavily, including by taking out loans. Once the victim has no credit left to invest, the scammer empties the account and disappears. Victims often lose everything — retirement, college fund, mortgage, credit score — everything. To make matters even worse, the scam’s perpetrators are often working under duress: victims of human trafficking forced into prison compounds in Southeast Asia where they must work cryptocurrency scams under threat of torture or death. These scams account for billions of dollars in revenue for those regions, and with so much money involved, local governments have proven unwilling to crack down. However, with so much money involved, that also affords an opportunity to apply pressure to the services and infrastructures needed to move and manage all that money. The US is sanctioning a cloud services provider called Funnull that has been caught providing the complex infrastructure necessary to evade safety systems and show scam websites to victims.

The Bottom Line: Destroying such a powerful conglomerate of criminal enterprises, with such extraordinary funding at its disposal, will require a coordinated international effort across many different angles of attack. This sanction alone is unlikely to reduce your risk of pig butchering, but it is one offensive in the war. Continue to protect yourself and your friends and contacts by insisting on video calls to verify the identities of your online contacts (even though live video can now be spoofed with AI, it’s still your best bet) and by treating cryptocurrency investment opportunities with skepticism.

Unsecured Databases Are a Common Mistake, but This One Included the Blueprints to All of Russia’s New Nuclear Silos

It’s hard to imagine a secret that is more secret than the blueprints to a new nuclear missile launch facility. One of the most important truisms of defense is if an attacker knows enough about your defenses, they will find a weakness. To put it mildly, it would be bad for the wrong people to learn the specific weaknesses of a nuclear weapon storage and launch facility. Well, it turns out that Russia is modernizing its nuclear arsenal, including building new silos for its nuclear missiles. And it further turns out that they have a new super-encrypted, super-classified computer system for the documentation used by the government construction contractors who are building those facilities. But a bunch of those construction contractors never switched completely to using the new secure system. As a consequence, investigative reporters at the Danish news agency Danwatch and the German news agency Der Spiegel gained access to thousands of blueprints for new nuclear weapon storage and launch facilities. The Danwatch report is some astonishing reporting.

The Bottom Line: If you happen to be a government contractor working on a secure facility, this would be a good reminder of how important your digital security practices really are. Even if you don’t have the job of defending nuclear weapons, it’s still worth keeping track of what documents you upload to cloud hosting servers, and how those servers protect your data.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 18.5
• The most recent macOS is 15.5
• The most recent tvOS is 18.5
• The most recent watchOS is 11.5
• The most recent visionOS is 2.5

The correct answer is C: Change the password for that email account, deauthorize all current sessions, and make sure that you’re using a strong multi-factor authentication method there, such as a passkey or a hardware key. When a password is compromised, you of course have to change it to a new one, but if a crook is already logged in, then changing the password will not always automatically log them out again. There is usually an option to deauthorize all current sessions, which would evict anybody currently using the account. Then, if you want to secure your account, it’s a good idea to use a passkey or hardware key.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Sarah Kingsbury.

In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.

Interested in protecting your iPhone data from thieves? Check out:

• Instantly Protect Yourself on iPhone with Emergency Reset
• Set Your iPhone to Automatically Erase All Content
• Review Who Has Access to Your Private Data

If you enjoyed this newsletter, you’ll love all the security content available on iPhone Life Insider!

This premium subscription includes:

• The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors
• In-depth guides on everything from security to iPhone photography to other Apple devices
• Daily, bite-sized video tips on topics ranging from iCloud security to password management
• A digital subscription to iPhone Life Magazine, where you’ll find articles covering the best security gear, apps, and in-depth how-tos
• The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure
• Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content
• Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group

Join the Insider community today and save 30 percent!