Apple released a firmware update patching a critical Bluetooth vulnerability in AirPods, AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. According to its support page, an adversary in Bluetooth range could spoof as an intended source device for these wireless headphones. When the targeted headphones send a connection request to the spoofed device, it could eavesdrop on confidential conversations.
According to data unearthed in a congressional probe, more than 60,000 requests by federal investigators and police captured data on 312,000 letters and packages between 2015 and 2023.
We often talk to newsrooms about dealing with data brokers — companies that aggregate and sell data from commercial and public records. According to recent reporting from TechCrunch, an alleged breach of a U.S. data broker impacted at least 300 million people. Their reporting suggests “mixed results” verifying the authenticity of the data.
In the hope of simplifying how customers can log into apps and websites, Apple has announced it will offer a new Passwords app in its upcoming versions of iOS 18, iPadOS 18, and macOS 15.
Data breach notification service “Have I Been Pwned?” has added the login information associated with 361 million email addresses. Have I Been Pwned owner Troy Hunt says as many as 151 million of these unique email addresses have never been seen in his database before. The website boasts tracking over 13.5 billion breach accounts. Some of these credentials are reportedly harvested from users’ devices infected with information-stealing malware.
Over this past week, Slack published a blog post defending its privacy practices following widespread criticism over its use of customer data to train its global AI models. At the moment, organizations are required to opt out to prevent their messages, content, and files from being mined to develop Slack’s AI.
Johns Hopkins cryptography professor Matthew Green explains that “the cryptography behind Signal (also used in WhatsApp and several other messengers) is open source and has been intensively reviewed by cryptographers. When it comes to cryptography, this is pretty much the gold standard.” By comparison, Telegram does not provide end-to-end encryption protection by default and only offers it as an option in one-on-one “Secret Chat” mode.
While it’s powerful and convenient, Google Docs might not be right for all documents, including those that you consider sensitive, private, or that you can’t risk losing. Read more about newsroom privacy and security considerations when using Google Workspace.
According to its security blog, Google prevented 2.28 million — yes, million — Android apps from being published on its Play Store in 2023. The company says it also removed 333,000 accounts for attempting to deliver malware through the Play Store, as well as for “repeated severe policy violations.” These numbers have grown substantially since 2022, when the company disclosed it prevented 1.43 million apps from being published on the Play Store.
Last week, Congress reauthorized a controversial surveillance authority, Section 702 of the Foreign Intelligence Surveillance Act. While legislators considered reforms to FISA that would restrain the federal intelligence and law enforcement community’s abilities to spy on American communications without a warrant, they in fact expanded these surveillance powers to subject more electronic communications service providers, such as U.S. cloud computing data centers, to data collection.
On April 10, Apple sent users in 92 countries warning of mercenary malware attacks targeting the iPhone. The notification did not provide details about the identities of the attackers. According to TechCrunch, Apple warned, “This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”
Throughout this year, our digital security training team will share our thoughts on navigating security issues during the 2024 election season. Elections around the world experience distinct security issues that may change from year to year, but in the U.S. we look to 2020 for lessons on how to get ahead of likely issues, from surveillance of our sensitive communications to perennial phishing attacks and harassment for political reporting.
Following a class-action lawsuit over Google’s handling of user data in its Chrome browser’s “Incognito” private browsing mode, the search company will expunge “billions of event-level data records that reflect class members’ private browsing activities” improperly collected before January 2024. It also updated its Incognito landing page to highlight that even Google can discern your activities in private browsing mode. Additionally, the company will be required to delete data that makes users’ private browsing data personally identifiable, such as IP addresses.
The U.S. Department of Justice filed an antitrust lawsuit against Apple, claiming the company engages in monopolistic practices over the smartphone market, preventing competitors by degrading the experience of communicating with non-Apple users in its products. iMessage features prominently in the suit, with the DOJ alleging consumers are disincentivized to leave its “walled garden” and so miss out on unique features built into the iMessage protocol, including end-to-end encryption between Apple users.
We recently shared news of Mozilla’s partnership with data removal service Onerep. Through a service it calls Mozilla Monitor Plus, Onerep is designed to automatically scan for personal information on data broker websites. But journalist Brian Krebs has found evidence that the founder of Onerep, purveyor of anti-data broker services, himself created dozens of data broker services. Read more.
Under the new European Union law, the Digital Markets Act, Meta is required to allow interoperability between third-party chat software and its WhatsApp and Facebook Messenger apps. These tools offer end-to-end encryption using the Signal protocol, the strong encryption specifications pioneered by the Signal encrypted messaging app.
Both in the U.S. and abroad, governments are capturing encrypted connections that pass over the public internet and saving them for later use. Within years or decades, post-quantum computers could meaningfully shorten the amount of time required to unscramble encryption, allowing attackers to read previously private messages. So a growing number of organizations, including Apple, are preparing for attacks like these with post-quantum encryption. Read more in our newsletter.
Aye hearties, gangway — the Avast cor-pirates are walking the plank. That’s because the company sold user data without consumers’ knowledge, according to the Federal Trade Commission, which ordered U.K.-based Avast Limited to pay $16.5 million and will also bar the antivirus company from selling or licensing browser data for advertisements. Read more in our newsletter.
This week, security nerds are dancing in the streets because Signal, the encrypted messaging app, is finally rolling out usernames. Signal has previously required users to provide their phone number as an identifier, but with this most recent update, users may instead use a username. Read more in our newsletter.
Hundreds of data brokers aggregate and sell access to personal data, such as phone numbers, emails, addresses, and even purchasing habits collected through loyalty card programs, social media sites, apps, trackers embedded in websites, and more. Mozilla has a new monthly subscription service which automatically scans for your personal data on data broker websites, but there are other ways to make your data less easily searchable. Read more from the Digital Security Team.
Instead of traditional passwords, where you log into a website with credentials that you know or store in a manager, a passkey is a credential that you store on your device, registered with an online account. Read more in our newsletter.
Mercenary spyware firm NSO Group’s Pegasus spyware, designed to remotely access targeted smartphones, is marketed to governments around the world for the purposes of law enforcement and counterterrorism. But in the wild, we’ve seen governments repeatedly abuse this and similar spyware tools to infect journalists, spying on their most sensitive files, communications, and sources.
Thieves don’t just steal iPhones for the hardware — they may also want access to banking apps and Apple Pay to facilitate fraudulent transfers and purchases. One thing that works in thieves’ favor is that people often use short passwords that are easy to shoulder surf and to memorize — typically only six digits. To minimize this risk, instead of typing in passcodes, where possible and practical consider opting for Face ID or Touch ID when unlocking the phone in public spaces.
If you have found your email in a data breach and the affected account is still active, you’re going to want to change the password for the relevant service right away.
On Jan. 9, 2024, the U.S. Securities and Exchange Commission’s account on X, formerly known as Twitter, was hijacked and used to post about the approval of a Bitcoin exchange-traded fund. This could have happened to anyone, whether an individual or a well-resourced organization. Learn how to mitigate similar attacks in this week's edition of our digital security digest
Join our email list to stay up to date on the issues and learn how you can help protect journalists and sources everywhere.
