It’s been another week for serious hacks, including a breach at the newsletter platform Substack that exposed phone numbers and email addresses, and another at the cryptocurrency exchange Coinbase that exploited a contractor’s access to obtain data about specific users. In both cases, the companies say they have the issue resolved and have notified impacted users, but still, yikes.
In the case of Substack, the company didn’t disclose exactly how widespread the breach was or how much information was obtained (although they did say the breach occurred in October of 2025), but a note from the company’s CEO to users said that credit card, financial, and password data weren’t lost in the breach. Meanwhile, the Coinbase hack was more complicated, with the hacking group Scattered LAPSUS$ Hunters posting internal screenshots of sensitive information, including account balances and internal support tools (which have access to even more customer information), in a Telegram chat. In either case, if you have accounts with either platform, it can’t hurt to change your passwords and keep an eye on any associated accounts.
In a more niche but equally chilling attack we covered this week, trusty utility Notepad++, an excellent replacement for Notepad in Windows and has been largely maintained by a single independent developer for years, was allegedly hijacked by state-sponsored hackers in China to target specific individuals who used the app. The developer noticed suspicious activity late last year and confirmed this week that the hackers had targeted the domain the app uses for updates, redirecting users to a malicious version instead of the real one. Interestingly, it seems the malicious update only affected a few people (since the app doesn’t automatically update, you have to ask it to), but it may have extended back as far as June 2025. It’s a terrifying example of how you don’t have to hack an app or a user; sometimes, the services in between are enough to get what you want.
Now that you’re good and terrified, let’s talk about how you can protect yourself from hacks and scams. This week we discussed why you might want to turn off Face ID on your iPhone and enable Lockdown Mode (and Advanced Protection on your Android phone) because, as a reporter for The Washington Post unfortunately found out, law enforcement can compel you to use biometrics to unlock your devices, but they cannot compel you to turn over passwords and passcodes if your devices are secured that way.
Additionally, it’s tax season (check out our favorite tax prep software), and that means scammers are crawling out of the woodwork to get their hands on your refund, or on any financial data that can be useful for identity theft. You probably knew that part, but generative AI is making those scams much easier this year, and we have seven solid tips to help you avoid getting caught by them. Last, but certainly not least, we also published an explainer on exactly what VPN audits do, who conducts them, and why you should look for them before buying a VPN subscription. Bottom line, they evaluate security and privacy, not marketing claims, so they can help determine whether a VPN is lying when they say things like they “don’t keep logs” or have “secure servers.”
Maximizing Signal Group Chat Safety
The Freedom of the Press Foundation primarily works with journalists and activists to protect their First Amendment rights and to push back against attacks on the press. They also publish some excellent cybersecurity advice that everyone can use. For example, this guide to securing Signal group chats offers great tips that anyone using the Editors’ Choice for secure messaging can use to keep their conversations secure. From limiting the size of the group chats you’re in to making sure you recognize everyone’s profile name and picture (or conceal your own if you don’t want to be identified), it’s all solid advice.
The tips go beyond simple Signal etiquette, though, and include reminders to do things like turn on Lockdown mode on iOS or Advanced Protection on Android, as well as enable any anti-theft measures on your device, so if it’s lost or stolen, whoever has it doesn’t also have access to all of your Signal chats and contacts.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Researchers Expose Network of 150 Cloned Law Firm Websites in AI-Powered Scam Campaign
And speaking of domain squatting and scams, SecurityWeek reports that security researchers at Sygnia have uncovered a massive network of AI-powered websites run by scammers that are designed to look like professional law firms. The sites are essentially clones, built with the same tool and designed to prey on victims of fraud by tricking them into reaching out to the site’s contact information for legal support.
The victim would email a listed address or call the listed phone number (which researchers found was also used for a number of other scams dating back to 2020) and provide their personal information, hoping to get help with their case. Even worse, it’s not clear how the scammers planned to monetize their scam, since most of the sites promised that you’d only pay if your case won in court and earned you money.
Recommended by Our Editors
The investigation started when one law firm reached out to the researchers saying that another website was essentially stealing their look and brand identity, and after starting their investigation, they found the site was part of a sprawling network of over 150 lookalikes, each using domain names registered from different registrars, unique security certificates and rotating IP addresses, and all deployed behind CloudFlare, which makes taking action against the scammers even more difficult.
Digital Squatting Is Becoming a Big Problem for Brands Worldwide
You’re probably familiar with domain name squatters – people or companies that use typoed domain names or purposefully close spellings to trick unsuspecting visitors into either thinking their site is affiliated with the real one, or make money off of them by serving ads or malware to visitors. In a new report by Decodo, one of our favorite proxy services, it’s becoming a growing problem, to the point where the World Intellectual Property Organization (WIPO) handled a record 6200 domain complaints in 2025.
While a mistyped URL is a minor irritant to most people, for major businesses, it can be a big problem when actual customers can’t find their website for whatever reason. And then there’s the matter of those domains being used by criminals to set up lookalike phishing pages, designed to harvest credentials and other data from unsuspecting users. The whole report is a little in the weeds, but it is important to realize that even small things like that can have a big impact on your security.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
Read Full Bio
