For the past few weeks, we’ve been keeping a close eye on DarkSword, the iOS exploit that’s easy to deploy and easy to get infected by, assuming you’re using an iPhone running an older version of iOS. Well, Apple just issued a rare patch for those older devices to close the vulnerability. The move comes not a moment too soon; this week, security researchers caught DarkSword in the wild, targeting users through a new phishing campaign. So again, update your iPhone if you haven’t already.
In less terrifying news, if you were impacted by the 2022 LastPass breach, keep an eye on your inbox. You might be entitled to part of a $24.5 million class action settlement if you used the software prior to the breach. Most people will probably get about $25, with some getting another $100 if you live in California (thanks to the state’s privacy law). It may not sound like much, but hey, it’s money you didn’t have before, right? And speaking of windfalls, class action settlements tend to bring out the scammers, so follow our tips to make sure the email and website you’re looking at is real.
This week, we also published an incredible investigation into state-sponsored hackers who are planting malware on the blockchain, lying in wait for future activation. In some cases the hackers are using the blockchain as a way to obfuscate the data they’re collecting or the origin of the malware, and in other cases they’re vying for remote, freelance development jobs to incorporate code into their targets that then fetches the malware and, predictably, steals every bit of company data it can get its hands on, including sensitive files, credentials, and more.
Speaking of cryptocurrency, you may be relieved to know that Jonathan, the world’s oldest tortoise, is alive and well, despite rumors to the contrary. In fact, poor Jonathan ended up as the face of a crypto scam, posted to X/Twitter by a “verified” account with a blue checkmark, impersonating his caretaker and claiming the tortoise had died. Of course, the account also has a Solana-based meme coin featuring Jonathan’s face, and trading on the coin shot up as more people were duped into giving the account owner (who has since said it was just a prank, bro) money.
Now then, getting back to state-sponsored hackers, the same Iranian group responsible for a breach at a medical equipment company also managed to break into the personal Gmail account of FBI director Kash Patel. I’m sure we haven’t heard the last of whatever’s lurking in that email account.
Last, but certainly not least, last week was the 2026 RSAC Conference. While we were there, we saw everything from how easy it is to beat the facial recognition tech that everyone from Meta to law enforcement relies on to why the future of cybersecurity may be an AI versus AI battlefield, with minimal human oversight. If you missed the highlights, check out our wrap-up from the show.
Let’s see what else is going on in the infosec sphere this week.
I Was Paid to Write Fake Google Reviews, Then My ‘Bosses’ Tried to Scam Me
We all know that fake reviews are a problem, and they make entire platforms and products less trustworthy. But it’s rare to get a look into why those fake reviews get posted in the first place, and who actually benefits from them. Over at The Guardian, this investigation caught my eye, where financial reporter Jasper Jolly dove into the world of fake online reviews, paid for with cryptocurrency and propped up by entire businesses full of people with AI-generated profile pictures and multiple Telegram chat groups. Jolly got an inside look at how scammers conduct their business and recruit new marks to do their dirty work, posting hundreds or thousands of fake, often negative, reviews on hotel websites and others.
In every case, when Jolly reached out to the companies reviewed, they claimed to have no idea the campaign was even happening, even though all of them were quick to praise their own measures for detecting and removing fake reviews. Even the platforms on which the scammers operate, like Telegram, rushed to explain that scammers exist everywhere and they’re doing their best to remove them. Meanwhile, the scammers go on unchecked. Perhaps worst of all, the whole fake review operation itself was a bit of a scam: The scammers promising money for fake reviews actually end up charging the reviewers real currency to get their payback in crypto, which is a pretty common money-laundering tactic. The whole story is an incredible read, and yet another reminder to take online reviews with many grains of salt when you’re shopping for anything, whether it’s a new pair of headphones or a fancy hotel for your next family vacation. If you see obvious ones, report them to the FTC.
Trump’s New White House App Is a Security and Privacy Nightmare
Last week, the White House announced a new app that claims to offer “real-time” information and updates from the administration, as well as live streams. Well, it turns out that the app also collects a ton of data about the devices and people who install it, according to our sister site, Mashable. A few people tipped me off to this when the app launched, and, as with any new app, you should carefully review the permissions and data it asks for before you install it. But the White House app is on a new level, especially for a government agency (and most people already feel like the government collects too much data, anyway).
The app demands everything from your device’s precise location and active network connections to fingerprint and biometric data. It also requests the ability to prevent a device from sleeping and to access, modify, or delete files in shared storage on your device. A lot of those things are common for invasive apps, but after decompiling the White House app, one user posted on Twitter that it requests and sends off your precise GPS data every 4.5 minutes to a third-party server, not affiliated with the government. Additionally, it appears to load embedded YouTube videos from an individual user’s GitHub account, which could end very poorly for app users if that account is ever compromised. So install with the utmost caution, or don’t install at all.
Quantum Computing May Be Closer Than It Appears
Post-quantum cryptography has been a buzz phrase in security circles for the past few years. If you follow our VPN reviews (and you should), you may have heard many providers introducing their own post-quantum technologies. It’s worth noting that most people consider quantum computing to be frontier technology, not something we’re likely to see soon. Plus, even if it becomes viable on a broader scale, quantum computers will likely be expensive and impractical for cybercriminals to use. To be fair, quantum computers do exist, but they’re used for scientific research and, of course, developing better quantum computers. But Google shocked everyone last week when it published an article suggesting that it expects quantum computing to be commonplace by 2029 and is preparing now. That alone suggests Google expects quantum computing to be close enough to move from a theoretical problem to a practical one, which means other companies will almost certainly take note and follow suit.
If you’re not familiar with quantum computing, you’re not alone; it’s not exactly headline news the way AI is. In short, quantum computers are capable of performing many, many more calculations per second than current computers. And if or when they become widely available, today’s most popular encryption algorithms, which would take decades or centuries to break using current technologies, could possibly be broken in days. This has led many companies, notably VPN providers, to strengthen the encryption algorithms they use to make them more resilient. The real threat isn’t so much someone cracking encryption in real time (although that’s an issue), it’s the potential for someone to harvest a ton of encrypted data that’s difficult to break into right now, and then, when they have access to a quantum computer later, crack it easily to harvest useful data.
Put simply, all of this means there’s a future, perhaps closer than we thought, where hackers making off with vaults or encrypted passwords won’t be cause for relief or the assumption that the data is safe. It also means we should consider that any encrypted data that’s already been leaked may as well be in plain text. It’s a little scary, but at least security professionals are taking it seriously.
About Our Expert
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
-
2.7M Employee Records Stolen, 100GB of Anime Fan Data Lost, and Millions of Crime Tips Leaked
-
Think VPNs Are Enough? Here’s Why Proxy Servers Still Matter
-
Cyber Chaos This Week: iPhones Under Attack, Android VPN Glitches, and the Free Parking Hack You Won’t Believe
-
Fake Apps, Fraudulent Emails, and Very Real Hackers: Another Week in the Infosec Trenches
-
$20K in Stolen Games, a $5M Crypto Blunder, and a Very Bad Week for Internet Security
-
More from Alan Henry
