Phish & Tell
Posts
PHISH & TELL 015

PHISH & TELL 015

The Cybersecurity Brief for Women Who Mean Business

Alexia Idoura
August 01, 2025

👋 WELCOME to Phish & Tell™️, from Security Done Easy™️

You’re not just building a business.
You’re building something worth protecting.

🎣 TOP CYBERSECURITY NEWS STORIES OF THE WEEK

Top stories of the week, how they are relevant to you, and what to do about them.

Public chargers can secretly steal data
Source: Hackread, “New Choicejacking Attack Steals Data from Phones via Public Chargers”
Why it matters: Researchers showed that some malicious public USB charging stations can emulate keyboards or mice and trick phones into enabling data‑transfer or developer modes. In less than a blink of an eye (around 133 milliseconds) they can start copying photos, messages or other data from phones without the owner’s knowledge. (Not the same as Juice Jacking, which involves installing malicious software on the charging station itself to steal data or install malware on connected devices, while choice jacking bypasses the user's consent for data transfer by automatically switching the device into data transfer mode.)
What to do: Avoid using public USB chargers. Instead, carry your own charger and plug directly into a wall outlet, or use a power bank. If you must use a public port, look for a cable with a data‑blocking adapter and choose “charge only” mode. There are also USB data blockers aka “USB condoms” — adapters which convert a cable to charge only, physically.
Dropbox password manager to shut down
Source: The Register, “Users left scrambling for a plan B as Dropbox drops Dropbox Passwords”
Why it matters: Dropbox announced it will discontinue its free Dropbox Passwords service. From August 28, 2025 the mobile apps will become view‑only; on September 11 they will stop working, and on October 28 all saved passwords and payment details will be deleted. Deja vu, if you read my blog article about Microsoft Authenticator dropping support for passwords earlier this week. Users will need to export or transfer their credentials before the cutoff date.
What to do: If you use Dropbox Passwords, export your logins and switch to another password manager soon. Dropbox suggested 1Password but any reputable manager will do. Make sure to use a unique, strong master password and turn on two‑factor authentication.
Vulnerability in WordPress plugin let subscribers reset admin passwords
Source: Hackread, “Post SMTP Plugin Flaw Allowed Subscribers to Take Over Admin Accounts”
Why it matters: A flaw in versions 3.2.0 and earlier of the Post SMTP plugin checked only whether a user was logged in—not their role. This allowed a low‑privilege subscriber account to view email logs, resend messages and trigger password‑reset emails for the admin account, potentially taking over the entire site.
What to do: If you run a WordPress site that uses this plugin, update to version 3.3.0 or later. Limit who can register for accounts and monitor user activity. Also, get our free Wordpress security guide for more tips.
US telecommunications insecurity report finally to be released
Source: The Register, “CISA caves to Wyden, agrees to release US telco insecurity report - but won’t say when” (“The security nerds' equivalent of the Epstein files saga”)
Why it matters: The US Cybersecurity and Infrastructure Security Agency (CISA) has agreed to release a long‑hidden unclassified report from 2022 that outlines security weaknesses in American telecom networks. Senator Ron Wyden has been blocking the nomination of a CISA director to force the release, arguing that the public has a right to know the risks to phone networks.
What to do: While waiting for the report, businesses should assume that phone and internet providers have vulnerabilities and avoid relying on SMS or voice calls as the only form of authentication. Use authenticator apps or hardware tokens for important accounts.
Luggage service’s bugs exposed travellers’ plans
Source: Cognitive Metropolis, “A Premium Luggage Service’s Web Bugs Exposed the Travel Plans of Every User—Including Diplomats”
Why it matters: Security researchers found simple web flaws in Airportr, a premium door‑to‑door luggage service used by multiple airlines. The bugs allowed anyone to reset user passwords, view passport images, addresses and boarding passes, and even redirect or steal luggage.
What to do: Be cautious when using third‑party services that handle travel documents. Use strong, unique passwords and two‑factor authentication where offered. Regularly check your airline and baggage service accounts for unusual activity. If you are an app developer, use this as a cautionary tale.

Not sure what applies to your business or what your options are? Let’s talk.

🔍 In Case You Missed It (ICYMI)

Last week’s Security Done Easy blog post: Microsoft Authenticator is Ending Password Management: What It Means, How to Export Your Data, and Why Passkeys Are the Future »
We have a new free 3-page PDF resource: How to Identify and Avoid Scams: A Simple Guide »
Follow us on LinkedIn, Facebook or Instagram.

🤖 The LOL-gorithm

🧷 THE SAFETY SNAP

Mind your tracks—privacy risks in fitness apps

Millions of women use trackers like Garmin watches and the Garmin Connect app to log workouts, but these apps collect your location, heart‑rate and route data. If you don’t adjust the defaults, your runs and rides may be shared publicly or with third parties—information that can be used for unwanted marketing or even stalking.

Why it matters – Without proper settings, anyone could see where you live, your daily exercise route and when you’re away from home, putting your personal safety at risk. Even seemingly harmless data like step counts or sleep patterns can reveal intimate details about your health.

What to do

Secure your account – Use a strong, unique password and turn on multi‑factor authentication if it’s available.
Check privacy settings – In the Garmin app and web interface, restrict visibility to “Only Me” or “Followers” and review options to hide personal information.
Limit sharing – Avoid linking your fitness accounts with third‑party apps unless absolutely necessary, and periodically review connected services.
Keep routes private – Refrain from posting maps of your runs or rides on social media. If you share workouts, hide your start and end locations to prevent revealing your home or workplace.

A few minutes spent tightening these controls can keep your fitness goals on track—without broadcasting your every move.

💬 A PERSONAL NOTE

I had a fantastic discussion with Georges Wansek’s membership at https://www.courseplatformacademy.com this week about about small businesses keeping their social media accounts protected. Thanks for having me! I also had my weekly call with my SCORE mentor and three networking calls, including one with successful Kickstarter Lisa Simone Richards at Pearl Spark Pages, who generously shared her tips with me for my coming campaign. (Check out her Female Founders Journal — I have one, it’s terrific.) I ended the week with the women at the NAWBO Empower Hour, where we talked about our progress on our 2025 goals. It has been a busy year, for sure.

(Screenshot of a video, not the actual video, so the play button won’t work.)

Now, it’s time for back to school shopping — we have less than two weeks left before they all go back, and it’ll just be me and the animals again. And yes, I talk to them. lol

👂 TELL ME

Are you finding this newsletter helpful? Do you have questions or topics you’d like me to cover? Let me know :-) [email protected]

You’re subscribed to Phish & Tell™️ because your business is worth protecting.

🩷