This Week in Cybersecurity: Signal Drama, Meta Backlash, and a Million Exposed Passports | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


A long time ago, when I used to work as a systems analyst in an IT department, I ran into users who would complain that a tool wasn’t secure or that they had been hacked, which was usually a cover for their own poor internet hygiene. This week, we saw that in Congress, when outgoing Nebraska Republican Don Bacon claimed that Signal, the encrypted messaging app, was “insecure,” when the truth is that he got spear-phished by Russian hackers and is blaming Signal for his mistake. After all, anyone who’s worked in security knows that humans are the weakest link in the security chain.

To the company’s credit, Signal has been warning users for months about this aggressive wave of phishing attempts, especially targeting high-profile individuals and their accounts. And just to be completely clear: No, Signal and its end-to-end encryption technology have not been hacked. 

Moving on but staying in the halls of government, this week we reported that the Supreme Court ruled that the Fourth Amendment (you know, the one about your basic right to privacy) does indeed apply to your phone’s location data. That means law enforcement and other government agencies are legally obligated to specify the data they’re seeking when they request it from a service provider, to provide probable cause, and to present a warrant. It also protects your location data from unreasonable search and seizure. 

In less-good news, we reported that Meta is eliminating its “Off-Facebook Activity” privacy controls, which allowed you to stop Facebook from tracking your movements around the web, even when you’re not on Facebook or Instagram. Predictably, the changes point to another feature that doesn’t do quite the same thing, and privacy advocates worry this is another example of Meta backtracking on privacy advancements it made years ago. Remember, if you’re serious about protecting your data, your best options are to use a privacy-friendly web browser with ad-blocking and tracker-blocking (or with a browser extension that does the job), unless you delete your Meta account entirely, of course.

Finally, if you’re a fan of Apple’s Hide My Email feature, you may want to pay attention: The service is leaking real email addresses, and has been for close to a year. Apple tried to patch the issue in March of 2026, but the researcher who uncovered the vulnerability reported that real addresses are still leaking, so the company is back to the drawing board, prepping another patch “in the coming weeks.”

That’s a lot of news! Let’s see what else is going on in the infosec world.


There isn’t a lot of malware for macOS, but it definitely exists, and that’s part of the reason we pay close attention to Mac antivirus utilities. And, like every other security woe, AI is making Mac malware worse than ever. According to a report from Bleeping Computer, the developers of a new Mac malware called Gaslight packed it with fake errors and other prompt-injection strings. The tricks are designed to confuse AI-powered tools that security professionals may try to use to analyze or reverse-engineer the malware to fight it or identify its author. In short, the malware tries to trick any LLM or AI-powered tool into doubting the validity of its own session, which is why the researchers named it Gaslight. 

The fake errors are largely fabricated crash reports, developer logs, memory dumps, and other “system” messages, along with tons of other fake errors that target AI specifically, like fake expired token warnings and out-of-memory errors. All of these are meant to make any automated security tool assume there was a problem analyzing the malware or that there’s an underlying operational error on the tool’s part, forcing it to give up. The malware itself is an infostealer, designed to pilfer credentials and other sensitive information from the system it’s deployed on, and the security firm SentinelOne believes a North Korean state actor is responsible for it.


Nearly a Million Passports Left Exposed on the Web

When it comes to sensitive personal information, it doesn’t get much more sensitive than a passport. Regardless of the country, passports are legal documents that not only verify who you are but also confirm your citizenship and permission to travel freely. So when close to a million of them are leaked, it’s kind of a problem. According to reporting by The Verge, close to a million passports were publicly available on the web, without any access controls. All you had to do was know the URL and change the character string to see a different passport each time you reloaded. 

Recommended by Our Editors

Sammy Azdoufal is the security researcher who discovered the passports, and as he explained to The Verge’s Sean Hollister, if the passports were found, they would almost certainly be packaged and sold to anyone willing to buy them. They’ve since been taken offline, but there’s no way to know if someone’s harvested them while they were available, which puts the document owners at risk, since you can’t just change a passport like a breached password. He also said that if you’ve ever visited a cannabis club in Spain, your passport and photo ID are probably among the leaked files. Americans, don’t assume you’re safe: There are at least 30,000 US passports in there. 

He also explained that the clubs themselves tried to keep the data secure, but the company they trusted to provide membership and age verification, Nefos, was responsible for their security (or lack thereof).


Mullvad Founder Daniel Berntsson Is Behind a Giant Donation to Sweden’s Far-Right Party

Earlier this week, I was surprised to see people on social media talking about having to cancel their Mullvad subscriptions. The company’s approach to privacy and transparency has always been among the best in the industry, so I was worried there had been a data breach. When I dug a little deeper, I found the reason: According to Swedish magazine Flamman (article in Swedish), Daniel Berntsson, founder of Mullvad, donated the equivalent of $5 million to Sweden’s far-right Örebro party, its largest single donation and the funding for the party’s decision to run for seats in the country’s parliament.

In response, the company’s founder responded to Flamman that the donation is a personal matter that has nothing to do with Mullvad or its mission, with the company posting in response to the report that its co-owners are “evil in many issues,” but share a commitment to freedom of speech, information, and privacy. With that in mind, there’s nothing that says that the company’s executives can’t spend their money how they choose—but there’s also nothing that says that customers can’t also be aware of what their subscriptions eventually pay for, and spend their money accordingly. 

About Our Expert



——————————————————-


Click Here For The Original Source.

National Cyber Security

FREE
VIEW