Security Friday: Passkey Vulnerability, That Old LassPass Breach, X Down Again, and lots more…

Hi Readers, Cullen here. It's been a couple months now that we've been sending you a weekly update with your Security Friday (before that this was a monthly newsletter), and we've already got over half a million subscribers!

View In Browser

This Newsletter Is Brought to You By:

Privacy & Security   March 14, 2025 Editor's Note Hi Readers, Cullen here. It's been a couple months now that we've been sending you a weekly update with your Security Friday (before that this was a monthly newsletter), and we've already got over half a million subscribers! It's our very great honor to bring you this news and commentary on privacy and security, emphasizing practical steps to keep you and your data safe. Thank you for reading! This week saw a fascinating bit of research highlighting a clever way to steal passkeys, scroll down for more and to learn if passkeys are still your best defense! Email us at security@iphonelife.com. Stay safe out there! Cullen Thomas, Senior Instructor at iPhone Life 🗒️✅ Your Security Checklist If you take nothing else from this newsletter, do these three things to protect yourself: Use iCloud Private Relay to hide your IP address and keep your browsing activity private. If you need to share a password with a friend or family member, create a password-sharing group to keep your usernames and passwords secure. Apps will often ask for permission to track your activity both inside and outside the app. On the iPhone, you can ask apps not to track you to help maintain your privacy. In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts.   🏆🎖️ Test Your Security Skills What should you do in the following scenario? The company who maintains your password manager app announces they've detected a security breach and user data may be affected, but they give no further details. What should you do? 🤔 Switch to a new password manager: download your archive from the old password manager, delete the old account, and upload your archive to a new password manager service. Change the password for each of your critical accounts. Both A and B. Scroll to the bottom to see how you did! In partnership with Incogni Stop Spam at the Source Incogni wants to help you take back your data by dealing with data brokers on your behalf to get your information off dark web lists and people search sites. Sign up for Incogni today and save 55% using code IPHONELIFE.     Are Passkeys Phishable? All three major web browsers (Chrome/Edge, Safari, and Firefox) have now updated to patch a clever vulnerability that allowed passkeys to be phished. Phishing is the common scammer technique of tricking you into giving up access to your accounts by trying to get you to enter your credentials on a look-alike web page. Passkeys are a high-tech replacement for passwords intended to be phishing-proof (they use your iPhone's biometric instead of a username and password). Being unphishable is a passkey's one job. So, a new technique that phishes passkeys is quite impressive on the part of the hacker, and almost worth putting this story in our security fail of the week category. That said, the passkey phishing technique is only possible on mobile phone browsers and requires the hacker to be in Bluetooth range of your phone while they try to phish your passkey—so within spitting distance. In any case, all three major browsers have now issued updates to fix the problem. All of that sums up to this particular threat being pretty hard to execute, and not something a scammer could do at scale from the safety of their couch. The Bottom Line: Passkeys are still the best way to protect your accounts.   🤨 This Should Be on Your Radar 📡 No, the US Gov Is Not Letting Russian Hackers Run Wild Most prolific hacking and almost all scamming is done these days by criminals working within organized crime structures akin to a mafia or a gang. Criminal networks like these can be disrupted and their scamming efforts slowed or halted—which is good for every one of us—but this requires constant energy from law enforcement and, when the criminal hackers are overseas, from espionage agencies. Three major news stories have circulated in early March, all alleging that different US government cybersecurity-focused agencies have been, in different ways, ordered to stop treating hackers based in Russia as a threat. The porting is a little scattered, but Kim Zetter at Zero Day has a complete rundown of what has been reported, detailing what's confirmed and what isn't. There's too much detail for a brief summary in this highly politicized topic, but it's fair to say both that the diplomatic talks around a Ukrainian ceasefire are a good reason to slow down US hacking operations against targets in Russia (you wouldn't want to disrupt the talks), and also that the reduction in activity allegedly goes further than necessary in that respect. The Bottom Line: The US has not ceased all operations against Russian hackers and cybercriminals. Stop Spam at the Source (sponsored) Remember the LastPass Breach in 2022? We Finally Know What They Were After The LastPass password manager suffered a security breach in 2022. Back then, the hackers made off with vaults of still-encrypted passwords. In the years since, researchers have suspected that the thieves were slowly decrypting a few critical passwords from those stolen vaults and using them to break into cryptocurrency wallets, including one $120 million dollar theft and a string of others. The FBI and Secret Service have now agreed with that assessment. Chris Krebbs has the full story. The Bottom Line: If you used LastPass in 2022, go update any passwords you're still using from that time. Russian Propaganda Group Influencing genAI Answers On News Topics If you can control what news people read, then you can strongly influence what those people think on important topics. Today, many people have turned to genAI systems like ChatGPT instead of search engines like Google when asking about the latest news, and propaganda departments are taking notice. NewsGuard has found that a Russian propaganda network named "Pravda" has been intentionally feeding disinformation to popular AI chatbots. The group's goal is to influence genAI summaries so that American and European news readers consume pro-Russian propaganda. According to NewsGuard, over 3 million propaganda articles have been pushed into genAI databases and are now affecting up to 33% of genAI responses on relevant news topics. The Bottom Line: It is better to read your news in the carefully chosen words of reputable experts and avoid AI summaries. But, as experts ourselves, we might be biased. In partnership with Motley Fool AI's Big Bet: Are You Ready? Investing is about recognizing patterns. Amazon's early days shaped e-commerce; AI is shaping everything else. This exclusive report from The Motley Fool highlights one company at the forefront of this revolution—an investment opportunity too promising to overlook. Learn how this technology is reshaping industries and driving market caps that could outpace even the tech giants we know today. Don't miss out—read the report now.   Bank of America Hit by Data Breach Bank of America has begun warning customers of a data breach that may have exposed sensitive customer information. It appears that the bank uses a third-party vendor for document destruction, and some of those documents were not in their secure containers. That means customer information such as first and last names, addresses, phone numbers, social security numbers, account details, and more could have been compromised. Thankfully, this breach does not seem to be widespread, as Bank of America stated at least two customers in Massachusetts were affected. The Bottom Line: Bank of America is offering a subscription to an identity theft protection service to affected customers. If that's you, we definitely recommend taking advantage of the offer, or using identity theft protection through your own vendor of choice. Mozilla Rewrites Terms of Use to Clarify It Does Not Own Your Data Mozilla recently changed its terms of use and privacy policy to include vague language about how the company can use its users' data, leading to significant backlash. In response, Mozilla has rewritten its terms of use to clarify it does not take ownership of user data in any way. I, Cullen, think this was mostly much ado about nothing, but as we see more and more companies helping themselves to our data, especially to train genAI systems, it's understandable to want to keep a sharp eye out on updates to terms of service. AI's Big Bet: Are You Ready? (sponsored) Meta Whistleblower Alleges Censorship Misconduct Sarah Wynn-Williams, a member of Meta's team who was responsible for the site policy in regard to China, has submitted a whistleblower complaint against the company. The complaint alleges that Meta misled investors about how much censoring power it was willing to hand to the Chinese government in order to gain access to the Chinese marketplace. Wondering Why X (Twitter) Went Down Again? It's Hacktivists On Monday, March 10th, X (formerly Twitter) suffered a series of worldwide outages that prevented thousands of users from accessing the site. The group DarkStorm Team, a pro-Palestinian hacktivist group, has claimed responsibility for the attack. Hacktivist groups are hackers who, purportedly, use hacking as a form of protest intended to draw attention to a cause. They frequently use large networks of cheap computers to overload websites or web services with too many requests, causing the service to go down temporarily. This kind of disruptive vandalism is called a Distributed Denial of Service Attack (DDoS). The Bottom Line: DDoS attacks are not hacks, and do not result in any compromise of user data. They simply disrupt a website or web service temporarily. Your X user data is safe from this kind of activity, though you may be temporarily unable to log into X. In partnership with NordVPN Secure Your Home Devices for 72% Off in Nord's Birthday Sale! A VPN service is a crucial part of your online security toolkit. Even smart devices can be a risk to your home network, and a VPN can protect you from hackers. Sign up for NordVPN today and get 72% off in an exclusive iPhone Life deal!     🍎📱 Security Updates from Apple 🍎 Everything you need to know about Apple's latest software updates. The most recent iOS and iPadOS is 18.3.2 The most recent macOS is 15.3.2 The most recent tvOS is 18.3 The most recent watchOS is 11.3.1 The most recent visionOS is 2.3.2 iOS 18.3.2, which was released on March 11, 2025, includes a critical security patch to update the fix for a vulnerability that was patched in iOS 17.2. Apple says the vulnerability was used in "an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2." Apple provided us with no further information and didn't credit any outside researchers, which doesn't leave us any clues about where those bugs were used or by whom. Reading between the lines, we can guess that this bug was one of those used by advanced spyware operators to target specific people. So, it's nice to see it squashed. Go grab your update in Settings > General > Software Update.   Security Skills Answer The correct answer is C. Both A and B. It's the "no further details" bit that seals the deal. If they explained that the breach only affected a few users, how it happened, and how you could find out if you were one of them, then you could make a judgment call about whether it was worth staying with that company. But with no more information about whether the breach is ongoing or how limited it is, you'd really have no choice but to switch to a new service and assume that every password in your vault was compromised. Secure Your Home Devices for 72% Off in Nord's Birthday Sale! (sponsored)   Mission Statement There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Donna Schill.   Next Steps In case you missed it, be sure to check out our free class on cybersecurity for Apple enthusiasts. Interested in using Face ID to keep your iPhone private? Check out: How to Lock Private Tabs with Face ID in Safari How to Lock Notes on iPhone with Face ID Easiest Way To Lock an App on iPhone   Premium Content If you enjoyed this newsletter, you'll love all the security content available on iPhone Life Insider! This premium subscription includes: The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors In-depth guides on everything from security to iPhone photography to other Apple devices Daily, bite-sized video tips on topics ranging from iCloud security to password management A digital subscription to iPhone Life Magazine, where you'll find articles covering the best security gear, apps, and in-depth how-tos The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group Join the Insider community today and save 30 percent! Did we help with your security concerns? With your feedback, we can improve this security newsletter. Let us know how we did: 👍 Yes, this definitely helps me with my security 😐 Some of the content is helpful to me 👎 No, I didn't find this newsletter helpful