Privacy

Apple login credentials were among a massive database of 184 million records found sitting unprotected on a web server. Other logins included Facebook, Google, Instagram, Microsoft, and PayPal.

The owner of the database is unclear, but the security researcher who discovered it says that it amounts to “a cybercriminal’s dream working list” …

A Coinbase hack has seen some customers tricked into sending funds to the attackers, with the company estimating that they suffered losses of somewhere between $180M and $400M.

The attackers also stole personal data, after Coinbase refused to pay a ransom demand – instead reporting the hack to law enforcement, and offering a $20M reward for information on the perpetrators …

Data brokers may be banned from selling your personal data without legitimate justification, under a new proposal by the Consumer Financial Protection Bureau (CFPB). Back in the summer it was revealed that one of these brokers was hacked, resulting in the compromise of personal data for every person in the US, UK, and Canada.

Update: With the CFPB being neutered by the Trump administration, plans for this protection have been killed. Original post follows …

Apple has updated the AppKit documentation to inform developers about a significant change coming to the macOS pasteboard, the system-level mechanism for transferring data between applications and Apple devices.

Here’s how it’s going to work:

Reddit has announced plans to fight back after a large-scale AI fraud was carried out against users of the highly popular Change My View subreddit.

However, the company’s plans to take to fight AI bots may not be popular with users, as it could compromise the platform’s long-standing approach to privacy …

If you used Siri between 2014 and 2024, and the voice assistant was ever activated by something random you said, you may be entitled to a cut of a payout from Apple.

Apple agreed back in January to settle a class action privacy lawsuit for unintended Siri activations between September 17 2014 and December 31 2024, and US residents can now register a claim …

The Android and iPhone spyware company NSO has suffered a major defeat in a US court, after a judge ruled that the company must hand over its Pegasus code to Meta.

Update: NSO was yesterday ordered to pay Meta more than $167M in damages for the attack. It’s the latest setback for the company, which has been blacklisted in the US, sued by Apple, seen victims alerted by the iPhone maker, and faced severe financial problems …

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

If you’re reading this week’s Security Bite on your desktop, look closely at your browser’s address bar. Notice how the main (root) domain is darker or black, while the rest of the URL is a lighter grey? This is not an accident — it’s actually a subtle psychological trick called salience bias. This little design choice has protected users from phishing attacks for over a decade.

Apple has notified iPhone users in 100 countries that their devices have been infected with spyware, implying that it may be NSO’s Pegasus.

The company has warned victims to take it seriously, and to immediately take a number of security actions in response. One of the recipients has shared almost the entire message, the first time I can recall seeing more than a brief excerpt …

Meta’s encrypted messaging app WhatsApp will use an approach pioneered by Apple to add AI capabilities without compromising privacy.

The company has announced that it will use tech it calls Private Processing, which appears to exactly replicate Apple’s Private Cloud Compute …

Over the weekend, a buzzy story gained traction across several publications. It seemingly started with this New York Post article. The basic message: “Apple warns users to delete Chrome from their iPhones immediately.” If true, that would indeed be huge news. But the real details are more complicated and nuanced.

WhatsApp users have expressed frustration at the fact that there is no way to remove the new Meta AI chatbot feature from the messaging app, raising concerns that the company is seeking to use their private chats to train the bot.

Meta says the AI chatbot can’t read messages unless one of the chat participants chooses to share it, but adds that the company is “listening to feedback” from users …

Federal funding has been restored for a crucial cybersecurity program used by Apple and other tech giants, in a last-minute U-turn. Security experts had described the original decision to remove funding as stupid, dangerous, and chaotic.

However, the future of the Common Vulnerabilities and Exposures (CVE) program remains uncertain, despite its role in helping tech giants identify and fix security holes found in their products …

The CVE security program used to track vulnerabilities in both hardware and software has had its federal funding removed with immediate effect. Apple is one of a number of tech giants who rely on the Common Vulnerabilities and Exposures (CVE) program to identify security flaws in their products.

Update: CVE board members have responded by announcing a new non-profit known as the CVE Foundation, intended to continue the work – more at the end …

Car rental company Hertz says that the personal data of an unspecified number of customers was stolen, and that this includes name, contact information, date of birth, credit card information, and driver’s license information.

While the company has not revealed the scale of the security breach, it appears to be a very substantial one, affecting customers in the US, Canada, UK, EU, and Australia …

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

In this week’s Security Bite, I’m taking it back over 20 years to the launch of Gmail in 2004–because that’s how long its little-known plus addressing (aliasing) feature has quietly existed. It was originally created to help with filtering and keeping inboxes tidy long before spam became what it is today. Google never really promoted it, so most people still don’t realize it’s a thing. But over the years, it’s become popular among privacy-minded folks to track which online services, subscriptions, etc., are selling email addresses to other companies or leaking them.

At least five VPN apps in the App Store were found to have links to the Chinese military, according to a new report today. Three of them have racked up more than a million downloads.

A subsidiary of one of the Chinese companies behind the apps is currently hiring for a role in “monitoring and analysing platform data,” with a familiarity with American culture listed as a job requirement …

Apple has been fined $162M by France’s competition regulator for the way App Tracking Transparency is implemented, stating that this is an abuse of the company’s powers.

This bizarre ruling follows a complaint by a group of trade associations representing advertisers who are no longer able to access user data to serve personalized ads …

The Meta AI chatbot is finally rolling out to European countries from this week, and will be accessible in Instagram, WhatsApp, Facebook, and Messenger. However, the headline feature of Ray-Ban Meta smart glasses will not be available.

The generative AI feature first launched in the US back in 2023, but privacy concerns were raised when it came to light that the company had been training it on Facebook and Instagram posts since way back in 2007 ….

Apple has been running a variety of ads over the past year pushing Safari as the privacy-friendly browser choice for iPhone, iPad, and Mac users. But in iOS 18.4 beta 1, there’s a new Safari feature that may accidentally undercut that message—despite offering solid utility.

Update 3/19/25: Added information about a change in iOS 18.4 beta 4 below.

A secret court hearing on iCloud encryption began on Friday, amid calls in both the UK and US to make the proceedings public.

The British government is demanding that Apple create backdoor access, not just for the personal data of British citizens, but for all iCloud users worldwide …