Updated Dec. 15 with further details of the unrequested change in iOS 26.2.

Apple released the latest iPhone update, iOS 26.2 — unprecedentedly on a Friday — and while early reports suggest it’s a stable release, it’s not without controversy. Some users are reporting that the update turns on automatic software updates without them asking for it. On the other hand, some users are finding the reverse problem. More on that later.

Apple iPhone 17 Pro

AFP via Getty Images

“At the Software Update Complete stage where you normally tap on continue to get to the Home Screen, there might be an extra little bit of information,” MacRumors reported.

ForbesiOS 18.7.3 Release Date: Mystery Of iPhone Update Still MissingBy David Phelan

“Some users are seeing a warning that future updates will be automatically downloaded and installed, with the option toggled on automatically if the Continue button is tapped. There’s a subtle ‘Only Download Automatically’ option that does not opt you into automatic updates if you’re paying attention, but it’s easy to miss,” it went on.

Many people already have automatic downloads turned on, and in that case there’s no message when the new software is installed.

Why this matters is that people might not want to download and install updates as soon as they go live, preferring to wait and see what the reactions of other users are, in case there are reports of problems arising.

If you’ve installed iOS 26, the simplest and perhaps safest action is to check. Just open Settings, go to Software Updates and you’ll see a panel marked Automatic Updates. If this says On, then at the next update, it will be downloaded and installed automatically.

Click the panel and on the next screen tap the switch marked Automatically Install. When it grays out, you’ll see an option below marked Automatically Install.

There’s another entry on the page which specifies System Settings and the words Automatically Install. Below this is an explanation: “System files improve iPhone functionality without changing the software version. iPhone may reserve storage space to ensure updates can be installed.”

You can choose whether to have this option on or off.

It’s worth saying that having automatic updates turned on doesn’t necessarily mean that your iPhone will be updated the second the software is released. It takes a little time for the update to reach you.

So, if you’re the kind of person who likes their iPhone to be updated straight away, you may find that even with the setting turned on for both download and update that you are updating manually because you’ve thought of it before the phone has got round to it.

And this is not an issue to do with the thorny issue of when you switch from iOS 18 to iOS 26: this unexpected change seems to be restricted to iOS 26. In other words, Apple has not made this change to force people to go to iOS 26. Though that doesn’t mean such a change won’t happen at a later stage.

ForbesApple iOS 26.2 New iPhone Software: Should You Upgrade?By David Phelan

FBI reveals 630 million stolen passwords.

getty

Updated December 15 with hands-on details of password manager application tools that can help check for compromised credentials following reports of a LastPass data breach caused by security failures and a no password required attack confirmed by Google, alongside the original reporting of the 630 million passwords revealed by the FBI following device seizures from a single hacker.

Just when you thought things couldn’t get any worse in terms of cybersecurity bad news this week, the FBI has revealed a staggering database of 630 million compromised passwords from multiple devices seized from a hacker. Here’s what to know and how to check if your passwords are on the danger list.

ForbesMicrosoft Worm Attack Warning — Act Rapidly And Change Passwords NowBy Davey Winder

FBI Finds 630 Million Stolen Passwords On Seized Hackers’ Devices

Troy Hunt, the creator of the ingenious Have I Been Pwned and Pwned Passwords services, has confirmed that the Federal Bureau of Investigation has handed over a staggering list of 630 million compromised passwords to add to the HIBP database of 17 billion compromised accounts. The FBI has been sending Hunt compromised passwords for four years, as uncovered during the course of cybercrime investigations, but what’s concerning and almost unbelievable in equal measure is that the latest haul is from a single hacker.

“This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect,” Hunt said, adding that ”the sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day.” To which I can only say, indeed it is.

It seems that the hacked passwords have come from open and dark web marketplaces, Telegram channels and, inevitably, infostealer attacks.

All of which means, of course, that not all of the 630 million credentials handed over to Hunt are going to be fresh to market, as it were. And, indeed, that appears to be the case following an initial HIBP team analysis: “We hadn’t seen about 7.4% of them in HIBP before,” Hunt confirmed, “which might sound small, but that’s 46 million vulnerable passwords we weren’t giving people using the service the opportunity to block.”

Forbes41 Microsoft Zero-Days — Now Millions Of Users Face Update ChoiceBy Davey Winder

FBI Stolen Credentials Handover: How To Check If Your Passwords Are On The List

The good news is that all of the stolen credentials, all those compromised passwords, are now searchable from a single location, which leaves you a second or two away from discovering if any of yours are included.

Head to the Pwned Passwords service, and enter your password. Don’t worry, it’s perfectly safe and won’t put your passwords in any danger, just the opposite in fact. “No password is stored next to any personally identifiable data such as an email address,” Hunt said, “and every password is SHA-1 hashed.”

Most importantly, do it now so you can change any passwords that are already compromised before your accounts fall victim to credential-stuffing attacks. I would also recommend that you use a password manager. Oh, and enable passkeys on any accounts that support them. Then there’s the small matter of activating two-factor authentication on all your accounts as well. Stay safe, even when the FBI finds the next big stolen password haul. It’s only a matter of time.

ForbesHas Your Gmail Password Been Hacked? Check Now, Here’s HowBy Davey Winder

Don’t Ignore This FBI Discovery — Use A Password Manager Now

OK, so I’ve already said you should use a password manager, but is that safe? It’s a question I get asked all the time, especially after I have published reports about a password manager data breach, or the latest hack attacks. My answer is always the same: yes, absolutely. There is never any doubt in my mind, as an old hacker myself, and for good reason: password reuse and weak passwords make the life of a hacker so much easier. Believe me. The two are most certainly not mutually exclusive, quite the opposite, in fact. People use weak passwords because truly random, truly complex, truly strong ones are almost impossible to remember unless you are some kind of memory savant. Not totally so, of course, I know my 25+ character random master password that unlocks my password manager vault off by heart. I couldn’t actually tell you what it is without a keyboard in front of me, as it’s a muscle memory thing, at least that’s what I call it. I only need to remember the first five characters, and the rest just follow automatically. But even that password would not be considered strong in any way if I were to then refuse it across all my accounts because if one got compromised, then they all get compromised.

Using A Password Manager To Check For Compromised Credentials, From The FBI Or Not

Although I prefer standalone apps over browser-based ones, if you are a fully committed Google ecosystem user, then the chances are that you are already making use of the Google Password Manager for Chrome. This is no bad thing from the user experience perspective, and ease of use, including no interruption to your work or leisure flows is important in making better security more popular with the general public, and thankfully also opens the doors to the Google password checkup tool. This will, you’ll be glad to hear, not only check your saved passwords against any compromised credentials found in databases on the dark web and in other collections, but also go the extra mile and warn you if you are using any across multiple accounts, please don’t do that, or are weak, and so at risk from credential stuffers or brute force hack attacks.

If you are an iPhone user, however, and like the free Apple passwords app, then this will also keep an eye on your password exposure for you. The Detect Compromised Passwords feature reveals if any of your passwords have been compromised in a data leak, without disclosing your accounts or passwords to Apple. You will get a warning notification for any determined as possibly having been included in a data leak. Apple said that “your actual passwords are never shared with Apple, and Apple does not store the information calculated from your passwords.”

Third-party password manager apps such as 1Password, which use the Have I Been Pwned database for compromised credential checking, also make this easy. The 1Password WatchTower feature provides a password security audit dashboard to the user in a single window. This reveals an overall password score, which you can probably ignore as these sorts of gimmicks don’t really account for much in terms of actual, actionable intelligence. Ditto the overall password strength meter, as you will already know that on an individual basis, as they are created anyway. However, the panes of the dashboard that show the numbers of, and links to more information about, compromised websites you have accounts with, reused passwords, weak passwords, unsecured websites, and inactive two-factor authentication, most certainly are.

I’m something of a Proton ecosystem fan, truth be told, and have gradually replaced Gmail with Proton Mail, other Virtual Private Network apps with the Proton VPN, Google Calendar with Proton Calendar and so on. The full Proton suite also has a password manager app called, unsurprisingly, Proton Pass. This also comes with a Pass Monitor function that includes dark web monitoring to check if your personal information has been leaked in a data breach impacting a third-party service, as well as a weak and refused passwords audit.

Ultimately, though, it relly doesn’t matter which password manager you use, provided you are using one and it is from a trusted vendor. I always recommend standalone managers and apps rather than ones that are part of a web browser, as I prefer some level of separation between the two. But something like Apple Passwords, which comes free with iOS and macOS, is just as good a recommendation as the commercial 1Password application, in my opinion. Don’t let this latest FBI warning go to waste; use it as an opportunity to up your password game, and that means setting up a password manager. It is easy and quick to do, and once done means your password usage is significantly more secure.

ForbesGoogle Confirms Critical No Password Required Attack — Act NowBy Davey Winder