Security

An unsecured database that likely contains tens of millions of unique Social Security numbers, alongside email addresses and passwords, has been discovered by security researchers.

While the database appears to have been collated from a number of separate data breaches over approximately a decade, the researchers explain why even very old personal data remains a live threat …

Badged versions of TP-Link routers are supplied to US customers by more than 300 ISPs, making them the most widely used Wi-Fi routers in the country, found in millions of US homes.

It therefore caused grave concern when security researchers at Microsoft found that a hacking group based in China was using vulnerabilities in the devices to carry out cyber attacks in the US. It had been widely expected that the routers would be banned from sale in the US, but politics seemingly intervened. However, the battle is not yet over …

Both the founders of WhatsApp and current owner Meta state that the app uses end-to-end encryption, meaning that nobody outside the chat can access the content. A lawsuit claims that this isn’t true and that anyone inside Meta can get full access to all of the messages sent or received by any WhatsApp user.

Johns Hopkins University professor and cryptographer Matthew Green has weighed in with a blog post analyzing the claims and likely reality …

The Electronic Frontier Foundation (EFF) is out with a new campaign that presses tech companies to move faster to protect user data through end-to-end encryption, and stronger defaults and privacy settings. Here are the details.

A database containing 149 million account logins has been found sitting unsecured on a cloud service. The records include 900,000 usernames and passwords for Apple accounts.

It was discovered by the same security researcher who found a similar database of 184 million records last year …

An effort led by security research lab CovertLabs is actively uncovering troves of (mostly) AI-related App Store apps that leak and expose user data, including names, emails, and chat history. Here are the details.

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Talk of the largest grocer in the world not supporting Apple Pay or any Tap to Pay solution for that matter is making the rounds on social media again, as 9to5Mac noted yesterday. It is worth mentioning that there are real security benefits behind this technology. While the vast majority of users choose tapping for payment because it is quick and easy, there is a lot happening behind the scenes to keep your information private.

If you’ve received an Instagram password reset email, claiming that you requested it, you should ignore it.

Malwarebytes reports that cybercriminals stole Instagram account details for 17.5 million users, but the social network claims that there was no security breach …

Apple is fighting many elements of a list of 83 security requirements proposed by the Indian government. This reportedly includes a requirement to hand over iOS source code.

Reuters reports the government saying that it must be able to review the source code of all smartphones in order to allow vulnerabilities to identified …

Mosyle, a popular Apple device management and security firm, has exclusively shared details with 9to5Mac on a previously unknown macOS malware campaign. While crypto miners on macOS aren’t anything new, the discovery appears to be the first Mac malware sample uncovered in the wild that contains code from generative AI models—officially confirming what was inevitable.

At the time of discovery, Mosyle’s security research team says the threat was undetected by all major antivirus engines. This comes nearly a year after Moonlock Lab warned about chatter on dark web forums indicating how large language models were being used to write malware targeting macOS.

If you’re running the iOS 26.3 beta, Apple has just released a new security update you can install. But there’s a catch: rather than including fixes, the update is simply testing out a new system. Here are the details. [Updated 1/8 with second release details]

We’ve recently seen how ChatGPT was used to trick Mac users into installing MacStealer, and now a different tactic has been found to persuade users to install a version of MacSync Stealer.

The Mac remains a relatively difficult target for attackers thanks to Apple’s protections against the installation of malware. However, Mac malware is on the increase, and two recently-discovered tactics discovered by security researchers highlight the creative approaches some attackers are using …

Earlier today, Apple rolled out updates for iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. Now, the company has released the security content for each system update. Here are the details.

Security researchers have found that attackers are using ChatGPT to trick Mac users into pasting a command line into Terminal which installs malware. Specifically, it installs MacStealer, which allows the attacker to obtain iCloud passwords, files, and credit card details.

The attack targeted people who were searching Google for instructions on how to free up some disk space on a Mac …

The saga of a mandatory government security app which Apple and Google had to preinstall on their phones didn’t last long after Apple refused to play ball.

The Indian government had already backed down on preventing iPhone owners from deleting the “security” app, and has now made a complete U-turn in the space of just 48 hours …

The Indian government has ordered Apple and other smartphone manufacturers to pre-install a state-owned “security” app on all phones before they are sold to users. Update: As we predicted, Apple has pushed back, but more aggressively by stating outright that it will not comply.

Adding fuel to the privacy fire, the government is also requiring smartphone makers to ensure that the app cannot be removed by users …

If you receive a notification from ChatGPT provider OpenAI that one of its partners has suffered a data breach, it’s likely that your own data is safe. Only those who have an API account may have been affected

The company says it is being transparent by notifying all subscribers, even though only a small subset of them will have been impacted …

Two websites intended to help software developers format and structure their code have exposed thousands of login credentials, authentication keys, and other highly sensitive information.

Cybersecurity researchers found that this sensitive data belonged to organizations in many high-risk sectors like government, banking, and healthcare …

Hackers have obtained customer data from a third-party company used by major Wall Street banks, including JPMorgan Chase and Citi. The disclosure comes just days after a Doordash data breach exposed names, addresses, phone numbers, and more.

SitmusAMC helps banks process mortgage applications and other real estate loans, and says that accounting records and legal agreements have been impacted by the hack …

A Doordash data breach has exposed the personal data of an unspecified number of customers, including name, phone number, email address, and physical address.

The food delivery company says that it has implemented a number of security measures in response, including reporting the attack to law enforcement …