The Latest

Office work in 2026 runs through a stack of mobile apps that sit on the same phones people use for banking, messaging family, and tracking their location.

Ten of the most common workplace apps in use across U.S. companies, including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion, account for more than 12.5 billion downloads on Google Play. New research from Incogni, based on data pulled from the Google Play Store on March 20, 2026, finds that these apps collect an average of 19 data points each and share around 2 data types with outside parties.

workplace apps data collection

Source: Incogni

Gmail leads on data collection

Gmail collects 26 distinct data types, the highest count in the study. The app gathers approximate location, app interactions, and user IDs for advertising and marketing purposes. Microsoft Teams follows with 25 data types, and Zoom Workplace collects 23. Both Teams and Zoom Workplace pull precise location data, the only two apps in the set to do so. Microsoft Outlook collects 22 data types, and Google Meet collects 21. Slack, Trello, and Todoist each collect 17 data types.

Six of the ten apps gather data for advertising or marketing: Gmail, Slack, Notion, Outlook, Todoist, and Zoom Workplace. Three of them, Slack, Todoist, and Notion, collect employee email addresses for marketing purposes.

Notion shares the most with third parties

Notion stands out for outbound data flow, sharing 8 distinct data types with third parties. The shared categories include email addresses, names, user IDs, device or other IDs, and app interactions, and several of these go to advertising partners.

Incogni researchers note that Notion’s privacy policy permits select advertising technology partners to place tracking tools on user browsers to collect behavioral data. Workspace content stored in Notion can include product roadmaps, HR notes, and client records, raising the stakes when that data reaches third parties.

In December 2024, the EU’s Data Protection Board issued an opinion raising the bar for how platforms must justify the use of personal data in AI model training under GDPR. Scrutiny has grown around how Notion AI processes workspace content through third-party model providers.

Workday lacks a deletion option

Workday is the only app in the analysis that does not allow users to request deletion of their data. The platform holds employment records, payroll details, and personal identifiers. In August 2025, Workday confirmed two related security incidents tied to its use of Salesforce as a CRM platform, with attackers obtaining business contact information including names, email addresses, and phone numbers. The breach was part of a broader social engineering campaign linked to the hacker group ShinyHunters.

A pattern of breaches across the stack

Most of the apps examined have a documented breach history. In January 2026, a security researcher discovered a publicly accessible 96-gigabyte database containing roughly 149 million login credentials, including 48 million tied to Gmail accounts. Google attributed the exposure to infostealer malware on user devices and denied any internal breach. In November 2025, Japanese media company Nikkei disclosed that attackers used malware-stolen Slack credentials to reach accounts belonging to more than 17,000 employees and business partners, exposing names, email addresses, and internal chat histories. In January 2024, scraped Trello data covering more than 15 million records appeared for sale on a hacking forum.

Zoom, Notion, and Slack have all experienced data breaches. Microsoft and Google, parent companies of several apps in the study, have each had breaches in other products. Todoist is the only app in the set with no known connection to a data breach.

iOS disclosures may tell a different story

The dataset covers Google Play listings only, leaving open the question of whether iPhone users see the same picture. Asked whether the iOS Privacy Nutrition Labels for the same ten apps would line up with the Google Play disclosures, Bogdan Popescu, Research & Communications Senior Manager at Incogni, told Help Net Security: “Yes, this research focused on Google Play apps solely. In our experience, we have compared iOS and Android apps in the past, and the privacy nutrition tends to be similar, but we haven’t applied this filter here. Independent studies comparing the disclosures for apps available on both platforms revealed notable differences in data practice disclosure in the iOS and Google Play app stores for apps that one would otherwise have expected to be identical.”

Implications for BYOD environments

Many employees install these apps on personal devices to meet employer requirements. The collected data includes contact details, financial data, and precise location, and much of it feeds into advertising ecosystems or sits within corporate systems with broad administrator access. Slack workspace owners and administrators can reach virtually all communications on the platform, including direct messages and private channels, since the service does not offer end-to-end encryption.

The combination of high-volume collection, advertising-linked use, and recurring breaches across this category gives employers and workers a concrete picture of what installing these apps puts on the line.


from Help Net Security https://ift.tt/QvsARIF

Journalists, elected officials, researchers, and political dissidents have spent years adapting their accounts to phishing-resistant authentication on consumer platforms. ChatGPT now joins that list. OpenAI has introduced Advanced Account Security, an opt-in setting that strips password-based sign-in from ChatGPT and Codex accounts and replaces it with passkeys or physical security keys.

ChatGPT advanced account security

What enrollment changes

Enrolled accounts use passkeys or hardware security keys for sign-in, with password login disabled. Email and SMS account recovery are removed, closing a path attackers commonly exploit when a victim’s phone number or inbox has been compromised. Recovery is limited to backup passkeys, security keys, and recovery keys held by the user. Once a user enrolls, OpenAI Support cannot assist with recovery, placing responsibility for backup credentials on the account holder.

Sign-in sessions are shortened to limit exposure if a device or active session is compromised. The setting covers ChatGPT and Codex under the same login, so a single enrollment carries across both products.

Conversations from accounts with the setting enabled are excluded from model training automatically. The default opt-out targets users handling sensitive personal or professional material who want assurance that their inputs stay out of training data without managing the preference manually.

Yubico partnership and FIDO support

OpenAI has partnered with Yubico to offer preferred pricing on a bundle of two YubiKeys aimed at the new security setting. The bundle includes the YubiKey C Nano, designed to remain seated in a laptop port for daily authentication, and the YubiKey C NFC for backup and cross-device use across laptops and mobile devices.

Users are free to use any FIDO-compliant security key or software-based passkeys. The setting follows the same standards already adopted by Google, Microsoft, GitHub, and other vendors that built phishing-resistant authentication around the FIDO2 and WebAuthn specifications.

Mandatory enrollment for Trusted Access for Cyber

“Individual members of Trusted Access for Cyber accessing our most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026. Organizations with trusted access can, as an alternative, attest that they have phishing resistant authentication as part of their single sign-on workflow,” OpenAI explained.

Download: Automating Pentest Delivery Guide


from Help Net Security https://ift.tt/wk087pq

Security researchers at Theori have disclosed a high-severity local privilege escalation (LPE) vulnerability (CVE-2026-31431) in the Linux kernel.

The flaw, nicknamed “Copy Fail”, has affected virtually every major Linux distribution shipped since 2017, and a working proof-of-concept (PoC) exploit is publicly available.

About CVE-2026-31431

According to Theori researchers, CVE-2026-31431 originates from the interaction of three reasonable kernel changes made over several years: the addition of authencesn (an AEAD cryptographic wrapper used by IPsec) in 2011, the introduction of AF_ALG AEAD socket support in 2015, and an in-place optimization added to algif_aead.c in 2017.

It’s a logic bug in the authencesn cryptographic template and allows an unprivileged local user to write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.

The technical write-up is more detailed, of course.

The good news is that CVE-2026-31431 exploitation requires local code execution as a regular user, which means that, by itself, it can’t be exploited remotely. But “chain it with anything that gives you that (web RCE landing in an unprivileged service account, an SSH foothold, a malicious PR on a CI runner) and you’re root,” the researchers pointed out.

The bad news is that unlike the Dirty Cow and Dirty Pipe Linux kernel LPE vulnerabilities, Copy Fail can be exploited without having to win a race condition, and the same exploit will work on many systems.

What to do?

CVE-2026-31431 affects every Linux distribution that uses a kernel that has been released since 2017.

The exploit script is tiny, doesn’t rely on additional software being installed, will work on almost all Linux distributions released since 2017, will work each time it’s run on a vulnerable system, doesn’t change files on disk and won’t be flagged by tools that monitor files for tampering, leaves no forensic trace on disk and, finally, it can break out of container isolation.

For all of these reasons, the researchers advise admins to prioritize patching the vulnerability on multi-tenant Linux systems, CI runners, cloud SaaS running user code, and container clusters first, and then on standard Linux servers and single-user workstations:

Linux LPE vulnerability CVE-2026-31431

CopyFail patching prioritization (Source: Theori)

The researchers verified that Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, and SUSE 16 are vulnerable. Openwall Project founder Alexander Peslyak (aka Solar Designer) confirmed that the exploit provided worked on Rocky Linux 9.7.

Linux distros have been notified of the existence of the vulnerability in advance, they say, and some have already released kernel packages that include the commit that patched it.

Admins/users who, for whatever reason, can’t update their distribution’s kernel package, can temporarilty mitigate the risk by:

  • Blocking AF_ALG socket creation via seccomp, or
  • Blacklisting the algif_aead module.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!


from Help Net Security https://ift.tt/FIr7cez

We may earn a commission from links on this page. Deal pricing and availability subject to change after time of publication.

A versatile portable speaker is a great addition to your summer kit—but while lots of speakers claim to be portable, many of them are surprisingly bulky, not very durable, or deliver tinny sound. The JBL Go 4 has none of those issues. It's currently one of the best travel speakers in its price range, and right now, it's even cheaper on Amazon: At $40, it's 20% off and at its lowest price ever.

This tiny speaker is partially made with recycled materials, comes in a wide range of colors, measures just 3.7 x 3.0 x 1.7 inches, and weighs 6.7 ounces, about the same as an iPhone. It carries an IP67 rating, making it dust-proof and durable enough to be submerged in water during a beach outing or pool party.

The speaker has adjustable EQ and Auracast connectivity and a companion app for viewing the battery level, enabling PlaytimeBoost, and adjusting other settings. You can expect up to 9 hours of battery life using PlaytimeBoost. Sound quality from the 45mm driver won’t match higher-end speakers, but it delivers strong bass and clear mids when compared to similarly sized speakers, and it can get pretty loud . (Pro tip: If you want more pronounced bass, lay the speaker on its back rather than propping it upright.)

If you don’t need audiophile-quality sound but want an ultra-compact, lightweight speaker with adjustable EQ, the pocket-sized JBL Go 4 is a smart companion for all your adventures, and a great pick at its current sub-$40 price. However, if you want improved bass, longer battery life, and beefier sound (and don’t mind a slightly bigger build), the JBL Clip 5 is a great upgrade, though it’s almost double the price.


from Lifehacker https://ift.tt/vzRAEn8

We may earn a commission from links on this page. Deal pricing and availability subject to change after time of publication.

The Echo Show has come a long way since its humble beginnings. The latest smart display from Amazon came out in the winter of 2025 and, for the first time, brings Fire TV integrated into the display, so you can stream your shows directly on it, as well as Alexa+ AI voice control, among other improvements. Right now, the 11-inch Echo Show 11 is $169.99 (originally $219.99) and the 8-inch Echo Show 8 is $139.99 (originally $179.99), both at their lowest prices according to price-tracking tools.

The Amazon Echo Show 11 replaced the 3rd Generation Echo Show 10. One of the obvious differences is the smaller size, but the screen is actually bigger since the bezels are much smaller, giving it a more modern look. The sound is much better as well, with forward-facing speakers and a subwoofer that can fill up a room with sound. The resolution on the display has been bumped to 1,920 by 1,200 pixels, which is better but still underwhelming considering it's not 4K. Some of the more subtle upgrades are the new support for Matter, Thread, and Zigbee, essentially covering almost every smart home device.

If you had the 3rd Gen Echo Show 10, you'll notice the physical camera shutter is gone (you can still disable the camera in settings), as well as the swivel camera feature that follows you around (it is now mounted in place). Amazon's new Alexa+ generative AI is free for Prime members, otherwise, it'll be $19.99 per month. Alexa+ can do anything you'd expect it to; it's conversational, can control your devices without needing to say the exact words in the right order, and will remember past conversations. You can check out more details on PCMag's "excellent" review.

The Echo Show 11 and 8 are the same device, even in audio; the only difference is the screen size and the price.


from Lifehacker https://ift.tt/0ScCWjR

Instagram ain't what it used to be. What started as a simple platform to share retro-inspired photos with friends and family quickly turned into a social media mega-app. You can still share photos, sure, but the platform now offers just about everything, from livestreams to short-form video feeds. In fact, for some users, the Instagram algorithm has turned their feeds into bona fide meme machines, with low-effort videos, images, and carousel posts dominating their experience as they scroll through the app. If you use Instagram, you may have a similar experience—especially if you have a taste for quirky, niche, or otherwise alternative internet humor.

Instagram is putting slop on notice

That's likely changing in the near future. As reported by TechCrunch, Instagram is cracking down on "unoriginal" content—or posts from creators that they didn't create themselves. That includes single photo posts, as well as carousel posts. The idea here is to promote Instagram users who post original content, while limiting users who simply copy other people's work and share it on their own feeds. Much of the low-quality images and videos you see on Instagram (and other social media platforms, for that matter) are stolen from other creators, and reposted as if the uploader has any claim to that content in the first place. Carousels are particular egregious, since it allows a single user to post a number of different images from various creators.

This doesn't mean that any user who reposts something they didn't make themselves will be punished. As long as the poster made a meaningful change to that image or video, it should count as "original" content, in Instagram's book. Otherwise, there'd be a whole host of content—memes or otherwise—that would be banned from the platform. That doesn't include "low-effort edits," however, such as overlaying watermarks or adjusting the speed of the video. A user needs to make more material changes to a piece of content for it to be approved here. As Instagram explains, “an original meme transforms another creator’s photo or video...When meme creators add humor, social commentary, cultural references, or a relatable take by incorporating elements such as unique text, creative edits, and voiceover on a photo or video, they’re producing something original. The best meme creators take third-party content and make it unmistakably theirs by layering in a perspective, joke, or context that wasn’t there before. This is the kind of creativity we want to continue rewarding.”

You probably won't notice a change in AI slop, though

As TechCrunch highlights, Instagram has already applied these rules to reels, so this isn't the first time the platform has tried implementing this policy. What I find interesting, however, is there doesn't appear to be much attention to "AI slop" at this time. In fact, Meta appears to be all-in on AI content, at least as of late 2025. I guess as long as the AI content is "original," Meta doesn't have a problem with it populating on its platforms, Instagram included. That's the opposite approach YouTube is taking: While both platforms suffer from low-quality AI clips, YouTube is actually trying to fight that type of AI content from spreading.

On Instagram, however, you might see a decrease in the amount of repeated, low-effort meme posts that may be flooding your feeds, but you also might have to deal with the same amount of odd AI videos that have been spreading like wildfire. Obvious AI videos are obvious, of course, but with advancing AI video models, new clips are sometimes difficult to tell apart from reality. Be careful out there.


from Lifehacker https://ift.tt/1yv5h4n

Amazon Prime Day 2026 is sure to be the biggest online sale of the year, and it's coming a bit sooner than you may have expected. In a press release yesterday, quickly issued after the sale's timeframe was revealed in Amazon's own first-quarter earnings statement, the company confirmed this year's event will be held in June. This is the first time Amazon has moved its biggest sale of the year earlier since the height of the pandemic in 2021.

Amazon doesn't usually announce its sales months beforehand, typically waiting until at most a month out to give shoppers a heads-up on when a shopping event will take place. But after this early news drop, it's likely the other major retailers like Walmart, Target, and Best Buy will also adjust to earlier dates and follow suit, with plenty of time to prepare their own sales.

Amazon has yet to announce the exact dates of the sale, but if the 2021 sale is any indication, it will likely be sometime in the week of June 22. In 2025, Prime Day doubled from two days to four for the first time, and it will likely be four days long this year as well.

What to expect from Prime Day 2026

Amazon says shoppers will be able to find deals on electronics, kitchen, beauty, and apparel, as well as fresh groceries and everyday pantry and household essentials. The company will undoubtedly release more information about the sale "soon," and I'll be sure to update you when we know more.


from Lifehacker https://ift.tt/FgNIedu