Reflections on eight years of writing ~this week in security~

Hello and happy weekend! This is Zack Whittaker with your regularly scheduled but slightly different dispatch this Sunday. 

This is not the usual ~this week in security~ newsletter because my partner Jordan and I are on vacation somewhere in New England, probably consuming our body weights in lobster rolls. There's still a cybercat at the end of this, so some things never change.

Instead, I wanted to say a massive thank you for your readership as next week marks the eight years of this newsletter's first edition. I've published a weekly newsletter almost every Sunday since July 2018 when ~this week in security~ first launched, and has now reached well into hundreds of email blasts to thousands of people detailing the weekly deluge of cyber news. It brings me considerable joy to curate, write, and deliver this newsletter, as much as I hope it informs and brings you a smile. 

Last year, I rebooted the site to host the full back archive of newsletters as well as a blog to make ~this week in security~ a better resource for you. Having this blog allowed me to dig into some of the most pressing issues in cybersecurity and privacy throughout the year, much of it at your request as subscribers. 

I couldn't have done any of this without you reading and sharing my work, reaching out with your kind words, and your backing.

To name a few highlights since the reboot:

• I dug into the legal and technical details of how Oura wearable rings expose health data to government and law enforcement demands. As one of the biggest wearable makers in the world, and soon to be going public, I looked at why Oura has a responsibility to disclose how often authorities seek to obtain a customer's sensitive information, after I confirmed that the government does seek access to Oura users' data. 
• I looked at how hackers are helping real-world criminal gangs steal truck deliveries packed with stolen cargo around the world, and why your doctor's AI voice recorder is compromising your health privacy. I also drew on my years of journalism experience covering surveillance and national security in another really deep-dive post exploring some of the common but sneaky ways that governments try to get your private data, and how you can prevent it.
• Following a bruising week of headlines for Meta came one more on a Saturday morning, after a data breach notice filed in Maine revealed that the scale of Instagram account hacks affected tens of thousands of users over the course of several months in 2026. This story was cited by The New York Times, which was greatly appreciated.
• Come for the story of how I scared the crap out of a finance executive at a cocktail hour, stay for the incredibly detailed, well-researched, mega long-read on the very real cyber threat from North Korean hackers. This 15-minute read explains why everyone, from businesses to open-source developers, should be aware of the risks from these capable, long-running, and carefully planned schemes — and what to look out for so you don't end up funding the regime's nuclear weapons program.
• I wrote detailed articles on how to read and parse a data breach notice, even when they say very little, and why ad blockers are one of the best tools you can use for your online security and privacy because of the gross and intrusive ways that tech and advertising giants track you across the web. I posted about the new security risks in many new AI-enabled browsers and apps, and also dug into a rash of very convincing ClickFix scams that trick people into copying and pasting malware onto their own computers, and why these present a major and evolving threat to unsuspecting victims who have never experienced these before.
• Earlier this year I took a look at why security tools like Lockdown Mode for Apple devices are no longer an 'extreme' security protection for many Americans, as well as exploring security precautions that you can take at airports amid rising border searches and device intrusions as we cross borders. And, speaking of things crossing borders, I looked at why age verification laws spreading around the world are a major threat to the open internet, and how the spills of millions of drivers' licenses and passports online have weakened age checks, making them even less effective and increasingly pointless.  
• After appearing in a documentary last year about the dangers of stalkerware, a shady and criminal industry that I've investigated throughout my career, I rounded up my thoughts about what I've learned during my investigations into this sneaky consumer-grade spyware industry. I was also thrilled to have chatted with Joseph Cox for the 404 Media Podcast about how stalkerware remains a major threat to millions of people around the world.
• I am proud to have collaborated and carried out first-of-its-kind research with DataBreaches.net, in which we surveyed over 100 journalists and researchers who work in cybersecurity to examine and investigate how legal demands and real-world threats affect them and their jobs. 
• One of the best skills I've learned in my journalism career is learning how to analyze network traffic of apps and websites using tools like Burp Suite, and how these tools can be used to find bugs, data leaks, and sneaky practices. To share some of these skills, I wrote a deep-dive beginner's how-to guide on getting started with Burp Suite and others, and why this is something that anyone can (and everyone should!) learn. 
• With help from pro bono attorneys at the RCFP representing me, I sued the U.S. government to release files relating to the FBI visiting my home to ask me questions about a story I wrote years ago. I took legal action to understand why the FBI sought information from me as a journalist and to fight similar spurious efforts by the government to intimidate journalists.
• And just last week, we raised $1,500 for Project Sunshine, a nonprofit that raises money for kids with medical challenges to get much-needed fun and playtime. This is a cause that means a lot to Jordan and I, and I'm so thankful for your generosity. Many of you were gifted top-tier paid subscriptions for ~this week in security~ to say thanks. 

And there is so much more on the site from the past year as well.

This newsletter and blog is nothing without you, and I endeavor every week to serve you in the best way I can, featuring honest, well-researched, investigative and explanatory journalism that helps you stay ahead. And I'm looking forward to doing more this year, including with new articles, and guiding you through some of the complex matters in cyber today. 

This requires a lot of work; and I'm committed to keeping the newsletter free, even though it takes time and running it is not cheap.

If you are interested in a paid subscription for additional content on the site, come on over and check it out. Consider expensing it on the corporate card! You can also drop a one-time tip, or gift a subscription to someone you know. 

Thanks to readers like you, my newsletter is also powered by cyber-cats (and their friends!). Send me an email with a photo and their name and they will be featured in an upcoming newsletter. It's the much-needed salve that we all need at the end of a spicy news week.

But really — please keep your feedback coming. I love hearing from you, including your ideas for blogs, articles, even the occasional podcast (👀) and more. 

BONUS CYBER CAT

When we were last in Europe, we stopped in Lisbon to potter about for a couple of days. This is the cat who lives in the fort at the top of Castelo de São Jorge. Nobody seemed to know his name, or what he was thinking at that particular moment, but he was warm, soaking up the sun, and living his best life. And then he went phishing.

I'll be back next Sunday with your usual (I promise!) newsletter rounding up all the cyber news you need to know from the week. 

Thank you for your trust in me. It means a lot and I do not take it for granted.

Have a peaceful week.
@zackwhittaker