iOS Flaw Used by the FBI, Unauthorised Access to Anthropic's Secret AI: The Week in Cybersecurity
What happened
On 22 April 2026, Apple issued an out-of-cycle emergency update โ iOS 26.4.2 and iOS 18.7.8 โ to fix a critical vulnerability referenced as CVE-2026-28950.
The problem: when you received a message on Signal, iOS created a push notification and stored its content in an internal database. Even after deleting the message โ or uninstalling Signal โ that content remained in the phone's memory, sometimes for up to a month.
The FBI exploited exactly this mechanism in a recent US criminal case, recovering Signal messages a suspect had carefully deleted. The revelation, broken by 404 Media, prompted Apple's immediate response.
What this means in practice
- Signal's encryption was not compromised โ the flaw is in iOS, not Signal
- Only incoming messages were recoverable, not sent ones
- The flaw required physical access to the device and professional forensic tools
- After the update, all inadvertently preserved notifications are automatically deleted
- Update your iPhone โ Settings โ General โ Software Update โ install iOS 26.4.2 or 18.7.8
- Disable Signal notification previews โ Signal โ Settings โ Notifications โ Show โ "No Name or Message"
- Both steps together give you maximum privacy protection
What happened
Anthropic โ the company behind the Claude AI โ opened an investigation after a small group of professional users accessed Mythos, its most advanced and ultra-confidential AI model, without authorisation.
Mythos had been launched in early April to a very limited circle of partners โ Amazon, Microsoft and Apple โ to test its cybersecurity capabilities before any public release. The model is described as capable of discovering security vulnerabilities at unprecedented speed and scale.
The unauthorised access occurred through the IT environment of one of Anthropic's third-party contractors. Bloomberg, which broke the story, confirmed that Anthropic is investigating a report of unauthorised access to Claude Mythos Preview via a contractor's environment.
Why this is concerning
- Mythos is designed to find security flaws โ in the wrong hands, it could exploit them
- This is the third internal security incident reported at Anthropic in a month
- No customer data was compromised according to Anthropic
- The incident raises questions about third-party contractor security in the AI ecosystem
๐ The common thread: your data is more vulnerable than you think
These two events look different on the surface, but they share the same lesson: even systems considered secure have flaws. Signal encrypts your messages โ but iOS was storing them in plain text in a notification database. Anthropic secures its models โ but a third-party contractor allowed unauthorised access.
The takeaway for you? Security never depends on a single link. An antivirus, a VPN, regular updates and vigilance together form a real shield.
- Update iOS immediately if you use Signal or any encrypted messaging app
- Disable notification previews on all your sensitive apps
- Be cautious with third-party AI tools โ check who has access to your data
- Use a VPN on your phone to encrypt your network traffic
- Check for updates regularly โ urgent security patches drop without warning
Questions about your iPhone's security?
Ask CyberGuard โ it'll guide you step by step, for free.
๐ค Talk to CyberGuard โ