Apple Patches iOS Notification Bug That Exposed Deleted Messages

Apple has rolled out an urgent security update to address a troubling flaw in its Notification Services. Tracked as CVE-2026-28950, the iOS notification bug allowed deleted alerts to linger on devices, potentially leaking sensitive message content to anyone with access to the phone.

The issue, resolved in iOS 26.4.2 and iPadOS 26.4.2, stems from a logging error. Notifications marked for deletion were not properly cleared, meaning that even after a user removed a message or an app, the notification data remained cached in system storage. Apple stated that improved data redaction now prevents this persistence, but did not confirm whether the flaw was actively exploited or how long the retained data could have been accessed.

How the Notification Bug Exposed Deleted Messages

The update follows reports from 404 Media, which revealed that forensic investigators could recover deleted Signal messages from an iPhone by simply accessing stored notification data—not the app itself. Even after uninstalling Signal, the message content remained available because notifications had been cached at the system level.

Although Apple did not directly reference that case, its advisory mirrors the same behavior. The company has not explained why notification content was retained or when the issue was first introduced. This highlights a critical privacy gap: even encrypted apps like Signal can be undermined by system-level features that store notification previews.

Signal welcomed the fix. “We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue,” the company said in a post on X. “It takes an ecosystem to preserve the fundamental human right to private communication.”

Who Is Affected by the iOS Notification Bug?

The vulnerability impacts a wide range of Apple devices, including iPhone 11 and later models, as well as various iPads. Apple has also backported patches to iOS 18.7.8 and iPadOS 18.7.8 for older supported devices.

If you own an iPhone or iPad running an affected version, your notification history may have been storing deleted messages without your knowledge. This is especially risky for users of sensitive apps like Signal or WhatsApp, where message previews could reveal private conversations.

Steps to Protect Your Privacy

To reduce the risk of future exposure, take these precautions immediately:

• Update your device: Install iOS 26.4.2 or iPadOS 26.4.2 without delay.
• Change notification previews: Go to Settings > Notifications > Show Previews and select “Name Only” or “Never” to hide message content.
• Review app settings: Disable notification previews for sensitive apps like messaging or banking tools.
• Check for older patches: If you use an older device, ensure you’ve installed iOS 18.7.8 or iPadOS 18.7.8.

For a deeper look at mobile data exposure risks, read our analysis on how 92% of mobile apps use insecure cryptographic methods.

Why This iOS Notification Bug Matters for Privacy

This incident underscores a fundamental truth: encryption alone is not enough. The Electronic Frontier Foundation has previously warned that notifications can expose metadata or unencrypted content depending on how they are implemented. Even when apps use end-to-end encryption, system-level features like notification caching can create backdoors for data recovery.

Apple’s quick response is laudable, but the fact that the bug went unnoticed for so long raises questions about testing and transparency. Users should not have to worry that deleting a message or app still leaves traces in notification logs.

As a result, this update serves as a reminder to regularly review your device’s notification settings. For more tips on securing your digital life, check out our guide on essential iPhone privacy settings.

Building on this, the broader industry must consider how operating systems handle notification data. Apple’s fix is a step forward, but it also highlights the need for clearer policies on data retention and user control.

Ultimately, the iOS notification bug was a wake-up call. Update your device now, and stay vigilant about what your phone remembers long after you think it’s forgotten.

Google Cloud Says No to Specialized Cybersecurity AI: General Models Like Gemini Are Enough

Google Cloud has made it clear: it will not develop a separate, cybersecurity-focused frontier AI model. Instead, the tech giant is betting on its general-purpose Gemini models to handle security tasks. This stance, revealed at Google Cloud Next 26, marks a significant departure from the approach taken by rivals like Anthropic and OpenAI.

Why Google Is Avoiding a Cybersecurity-Specific AI Model

Speaking at the event, Francis DeSouza, COO of Google Cloud, explained the company’s reasoning. He noted that earlier predictions suggested the need for many domain-specific models. However, the reality has shifted. “What we found over time was that the core model was doing really well and that it started to get good across all domains,” DeSouza said.

He highlighted that Gemini already excels at tasks like coding, eliminating the need for a specialized coding model. The same logic applies to cybersecurity. “We are finding that inside our security too, that models themselves are getting better and better. I believe that Gemini is a terrific model for our security. You shouldn’t expect to see a cyber version that’s different,” he added.

This means that enterprises should not wait for a niche AI tool. Instead, they should integrate strong general models into their security workflows, train them with context, and wrap them with access controls. DeSouza emphasized that the practical path forward involves combining a high-quality generalist model with the right tooling and governance.

How General-Purpose Gemini Models Can Meet Cybersecurity Needs

Google plans to combine the latest Gemini versions with agent and platform capabilities to meet cyber defense needs. The company believes that feeding organization-specific context into a strong general model produces better outcomes. Yinon Costica, co-founder and VP of product at Wiz (now part of Google Cloud), supported this view. “Cyber defenders possess richer, more organization-specific context than attackers,” he said. Feeding that context into a strong general model, he argued, leads to superior defensive results.

For businesses, this approach simplifies AI adoption. Instead of managing multiple specialized models, they can rely on one powerful system. Google recommends embedding Gemini into automated detection, triage, and response pipelines. This integration allows the AI to learn from internal data and adapt to unique threats.

Comparing Google’s Strategy to Anthropic and OpenAI

Google’s strategy contrasts sharply with its competitors. Anthropic recently unveiled Project Glasswing, a cybersecurity-focused initiative built around its Claude Mythos frontier model. This model is fine-tuned for vulnerability detection, incident response, and adversarial reasoning. Anthropic argues that cybersecurity’s unique challenges—such as real-time attack pattern recognition and compliance nuance—benefit from targeted enhancements.

Interestingly, Google is part of this effort. Claude Mythos is available to select Google Cloud customers on Vertex AI as part of Project Glasswing. This partnership suggests that while Google prefers general models, it is not entirely closing the door on specialized solutions.

Meanwhile, OpenAI has launched GPT-5.4-Cyber, a variant tailored for defensive use cases. It also expanded its Trusted Access Cyber (TAC) program, which provides enterprises with curated datasets, red-teaming tools, and governance frameworks. This move signals a belief that domain-specific tuning is necessary for optimal security performance.

What This Means for Enterprise Cybersecurity

For enterprises, Google’s approach offers a simpler, more unified path. Instead of juggling multiple AI models for different tasks, they can invest in one robust system. This can reduce costs and complexity. However, it also requires a strong internal data strategy. Organizations must be prepared to feed the model with relevant context and enforce strict access controls.

Building on this, Google’s strategy emphasizes the importance of governance. The company argues that the model itself is only part of the solution. Proper tooling, human oversight, and integration with existing security infrastructure are equally critical.

As the AI landscape evolves, the debate between general and specialized models will continue. For now, Google is betting that its general-purpose Gemini models can handle the most demanding cybersecurity tasks. Only time will tell if this bet pays off.

To learn more about integrating AI into your security operations, check out our guide on AI security workflows and explore Google Cloud security tools.

Hackers Deface School Login Pages After Alleged Second Instructure Breach

Just days after education technology giant Instructure disclosed a major data breach, a cybercrime group appears to have struck again. This time, hackers defaced the login pages of several schools using the company’s Canvas platform, escalating their extortion campaign. The Instructure data breach initially exposed student names, personal emails, and teacher-student messages. Now, the situation has taken a more visible turn.

How the Canvas Login Defacement Unfolded

On Tuesday, TechCrunch observed that the cybercrime group ShinyHunters had altered the Canvas login pages of three separate schools. The hackers injected an HTML file that replaced the normal login screens with a threatening message. This message warned that stolen data would be published on May 12 unless Instructure agreed to a settlement.

At the time of writing, Instructure’s website appeared partially offline, sometimes returning a “too many requests” error. The Canvas portal displayed a notice about scheduled maintenance. However, this disruption was likely a direct result of the hack.

The Message Behind the Defacement

The defaced pages served as a public shaming tactic. ShinyHunters aims to pressure Instructure into paying a ransom. By compromising login pages—which students and teachers use daily—the hackers amplified their demands. This move follows the same financially motivated playbook the group has used against countless victims over the last couple of years.

Instructure’s Response to the Canvas Security Incident

Instructure spokesperson Brian Watkins confirmed to TechCrunch that the company discovered hackers had changed some customers’ login pages. “Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” Watkins said. The company linked the defacement to an issue with its Free-For-Teacher accounts, leading to a temporary shutdown of that service.

Watkins also stated that the same hackers responsible for the original breach were behind this second attack. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use,” he added. The company has since restored full functionality.

Escalating Pressure: How ShinyHunters Is Targeting Schools

This apparent second hack indicates that ShinyHunters is ramping up pressure on Instructure and its customers. The group originally claimed responsibility for the first breach, publicizing stolen data on its leak site to extort a payment. Now, by defacing login pages and notifying TechCrunch, the hackers hope to force a quicker capitulation.

It remains unclear how the hackers compromised the login pages. When asked, a ShinyHunters member told TechCrunch they couldn’t comment on specifics but described this as a separate breach. The original Instructure data breach allegedly affected nearly 9,000 schools worldwide, with stolen files containing information on 231 million people.

What This Means for Schools and Students

For schools using Canvas, this incident highlights the risks of relying on third-party platforms for sensitive data. Administrators should review their security protocols and consider additional safeguards. Schools can take proactive steps to protect student information, such as enabling multi-factor authentication and monitoring login activity.

Building on this, parents and students should remain vigilant. If you suspect your data was compromised, change passwords immediately and monitor for phishing attempts. Learn how to respond to a data breach effectively.

The Bigger Picture: Education Tech Under Siege

ShinyHunters has compromised countless victims over the last couple of years, following the same financially motivated playbook: hack, publicize, and extort. This Instructure data breach is part of a broader trend targeting education technology. As schools increasingly rely on digital platforms, they become attractive targets for cybercriminals seeking large datasets.

Therefore, the education sector must invest in stronger cybersecurity measures. Educators can adopt simple strategies to reduce risk, including regular security audits and employee training. The question remains: will Instructure negotiate, or will the hackers follow through on their threat to release data?

For now, the company has restored Canvas access, but the breach underscores the ongoing vulnerability of educational systems. Students and teachers alike should stay informed and take precautions.