Developers have a ‘clearer path’ to pursue architects who design unsafe buildings following a recent Supreme Court ruling, legal experts have warned The judgement, which interprets important elements of the Building Safety Act 2022 (BSA) and the Defective Premises Act 1972 (DPA), heightens the need for practices to hold ‘comprehensive’ professional indemnity (PI) insurance, according to top lawyers. Earlier this month (21 May) the Supreme Court ruled that BDW, the main trading arm of Barratt Developments, was able to pursue damages from structural engineering company URS for alleged negligence in provision of design services for two residential schemes. This was despite BDW undertaking remedial works on the properties voluntarily more than three years ago and no longer owning the buildings. Judges dismissed the engineering firm’s latest appeal against BDW’s right to claim for compensation on all four grounds.Advertisement Nick Stockley, partner at law firm Mayo Wynne Baxter, said: ‘This ruling creates an easier route for builders to reclaim losses that they incur for the actions of design contractors. ‘It suggests that the time-out defence is no longer a fail-safe if the genuine blame rests with a design contractor. The ruling also takes away any voluntary-decision defence that either a design contractor or architect may try to raise. ‘It means that any design contractor needs to maintain insurance that extends to their work, irrespective of when the work was carried out. ‘An architect’s work should always be covered by professional indemnity insurance but that cover will need to be more extensive. An architect should review any existing insurance policy cover in order to check that that policy extends to all work carried out by the architect.’ The two projects at the centre of the BDW claim are Capital East in London and Freemens Meadow in Leicester. Advertisement The housebuilder carried out voluntary remedial works at these properties in 2020 and 2021, despite no longer owning them, after defects were discovered that created a danger to occupants.   It claimed damages from URS but the engineering firm appealed, initially to the Court of Appeal then to the Supreme Court, arguing that a voluntary act could not lead to recoverable losses, and only claims brought by a property owner under the DPA were subject to an extended 30-year limitation period.  URS claimed that a third party could not be owed a duty under the DPA and added that a contribution for liability could only be made once a settlement was finalised.  However, the Supreme Court found in BDW’s favour, saying that URS’s interpretation of the law ‘would penalise responsible developers, such as such as BDW, who had been pro-active in investigating, identifying and remedying building safety defects’.  It said DPA would ‘better serve the policy of ensuring the safety of dwellings’ if it had a wider application, ruling that ‘BDW itself has rights under the DPA against a party primarily liable for the defects’.  It added that BDW had ‘acted responsibly’ and ‘in accordance with the government’s strong encouragement’ in carrying out remediation work at Capital East and Freemens Meadow, concluding: ‘Penalisation of [such] developers would be contrary to the purpose of the legislation’. Rob Horne, head of construction disputes for Osbourne Clarke, which represented BDW, said: ‘For residential developers there is now significantly more clarity over the full effect of the retrospective limitation period introduced by the BSA. ‘Ultimately, the aim of the BSA was to ensure that safety failures are properly addressed and that those responsible bear the costs. This case furthers that aim by ensuring that developers have a clearer path to recover funds from designers and constructors who designed and built unsafe buildings.’  Horne added: ‘The Supreme Court has commented that proactive developers who, in effect, do the right thing in effecting necessary safety works, should not be penalised by having rights of recovery barred.  ‘Such developers are able to recover the remedial costs from those most responsible for the safety defects in question.’  ‘This reading gives the Defective Premises Act far more teeth’ Julia Tobbell, partner at law firm Forsters, said the decision will be ‘a relief to proactive developers’ as, ‘although their decision to voluntarily take on repairs may be a factor in assessing reasonableness of mitigation, it does not bar them in principle from being able to recover from negligent contractors’.  She added: ‘The court also found that the duty to build homes properly under Section 1 of the PDA is not just for the benefit of the homeowner, but also the developer who procures the contractor to carry out the works.   ‘The developer can both owe a duty (to the homeowner) and be owed a duty (by the contractor); this reading gives the DPA far more teeth.’  2025-05-30 Will Ing comment and share

Cyber threats don't show up one at a time anymore. They're layered, planned, and often stay hidden until it's too late. For cybersecurity teams, the key isn't just reacting to alerts—it's spotting early signs of trouble before they become real threats. This update is designed to deliver clear, accurate insights based on real patterns and changes we can verify. With today's complex systems, we need focused analysis—not noise. What you'll see here isn't just a list of incidents, but a clear look at where control is being gained, lost, or quietly tested. ⚡ Threat of the Week Lumma Stealer, DanaBot Operations Disrupted — A coalition of private sector companies and law enforcement agencies have taken down the infrastructure associated with Lumma Stealer and DanaBot. Charges have also been unsealed against 16 individuals for their alleged involvement in the development and deployment of DanaBot. The malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information. More uniquely, though, DanaBot has also been used for hacking campaigns that appear to be linked to Russian state-sponsored interests. All of that makes DanaBot a particularly clear example of how commodity malware has been repurposed by Russian state hackers for their own goals. In tandem, about 2,300 domains that acted as the command-and-control (C2) backbone for the Lumma information stealer have been seized, alongside taking down 300 servers and neutralizing 650 domains that were used to launch ransomware attacks. The actions against international cybercrime in the past few days constituted the latest phase of Operation Endgame. Get the Guide ➝ 🔔 Top News Threat Actors Use TikTok Videos to Distribute Stealers — While ClickFix has become a popular social engineering tactic to deliver malware, threat actors have been observed using artificial intelligence (AI)-generated videos uploaded to TikTok to deceive users into running malicious commands on their systems and deploy malware like Vidar and StealC under the guise of activating pirated version of Windows, Microsoft Office, CapCut, and Spotify. "This campaign highlights how attackers are ready to weaponize whichever social media platforms are currently popular to distribute malware," Trend Micro said. APT28 Hackers Target Western Logistics and Tech Firms — Several cybersecurity and intelligence agencies from Australia, Europe, and the United States issued a joint alert warning of a state-sponsored campaign orchestrated by the Russian state-sponsored threat actor APT28 targeting Western logistics entities and technology companies since 2022. "This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors' wide scale targeting of IP cameras in Ukraine and bordering NATO nations," the agencies said. The attacks are designed to steal sensitive information and maintain long-term persistence on compromised hosts. Chinese Threat Actors Exploit Ivanti EPMM Flaws — The China-nexus cyber espionage group tracked as UNC5221 has been attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428) to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The intrusions leverage the vulnerabilities to obtain a reverse shell and drop malicious payloads like KrustyLoader, which is known to deliver the Sliver command-and-control (C2) framework. "UNC5221 demonstrates a deep understanding of EPMM's internal architecture, repurposing legitimate system components for covert data exfiltration," EclecticIQ said. "Given EPMM's role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization." Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. Links to these browser add-ons are hosted on specially crafted sites to which users are likely redirected to via phishing and social media posts. While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Several of these extensions have been taken down by Google. CISA Warns of SaaS Providers of Attacks Targeting Cloud Environments — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that SaaS companies are under threat from bad actors who are on the prowl for cloud applications with default configurations and elevated permissions. While the agency did not attribute the activity to a specific group, the advisory said enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in their Microsoft Azure cloud environment. "Threat actors may have accessed client secrets for Commvault's (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said. "This provided the threat actors with unauthorized access to Commvault's customers' M365 environments that have application secrets stored by Commvault." GitLab AI Coding Assistant Flaws Could Be Used to Inject Malicious Code — Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. The attack could also leak confidential issue data, such as zero-day vulnerability details. All that's required is for the attacker to instruct the chatbot to interact with a merge request (or commit, issue, or source code) by taking advantage of the fact that GitLab Duo has extensive access to the platform. "By embedding hidden instructions in seemingly harmless project content, we were able to manipulate Duo's behavior, exfiltrate private source code, and demonstrate how AI responses can be leveraged for unintended and harmful outcomes," Legit Security said. One variation of the attack involved hiding a malicious instruction in an otherwise legitimate piece of source code, while another exploited Duo's parsing of markdown responses in real-time asynchronously. An attacker could leverage this behavior – that Duo begins rendering the output line by line rather than waiting until the entire response is generated and sending it all at once – to introduce malicious HTML code that can access sensitive data and exfiltrate the information to a remote server. The issues have been patched by GitLab following responsible disclosure. ‎️‍🔥 Trending CVEs Software vulnerabilities remain one of the simplest—and most effective—entry points for attackers. Each week uncovers new flaws, and even small delays in patching can escalate into serious security incidents. Staying ahead means acting fast. Below is this week's list of high-risk vulnerabilities that demand attention. Review them carefully, apply updates without delay, and close the doors before they're forced open. This week's list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR). 📰 Around the Cyber World Sandworm Drops New Wiper in Ukraine — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. "The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it deployed the ZEROLOT wiper in Ukraine. For this, the attackers abused Active Directory Group Policy in the affected organizations," ESET Director of Threat Research, Jean-Ian Boutin, said. Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. Signal Says No to Recall — Signal has released a new version of its messaging app for Windows that, by default, blocks the ability of Windows to use Recall to periodically take screenshots of the app. "Although Microsoft made several adjustments over the past twelve months in response to critical feedback, the revamped version of Recall still places any content that's displayed within privacy-preserving apps like Signal at risk," Signal said. "As a result, we are enabling an extra layer of protection by default on Windows 11 in order to help maintain the security of Signal Desktop on that platform even though it introduces some usability trade-offs. Microsoft has simply given us no other option." Microsoft began officially rolling out Recall last month. Russia Introduces New Law to Track Foreigners Using Their Smartphones — The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. This includes gathering their real-time locations, fingerprint, face photograph, and residential information. "The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said. "If migrants change their actual place of residence, they will be required to inform the Ministry of Internal Affairs (MVD) within three working days." A proposed four-year trial period begins on September 1, 2025, and runs until September 1, 2029. Dutch Government Passes Law to Criminalize Cyber Espionage — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. Under the amended law, leaking sensitive information that is not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges. "Foreign governments are also interested in non-state-secret, sensitive information about a particular economic sector or about political decision-making," the government said. "Such information can be used to influence political processes, weaken the Dutch economy or play allies against each other. Espionage can also involve actions other than sharing information." Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it's making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. "This advancement will enable customers to commence their exploration and experimentation of PQC within their operational environments," Microsoft said. "By obtaining early access to PQC capabilities, organizations can proactively assess the compatibility, performance, and integration of these novel algorithms alongside their existing security infrastructure." New Malware DOUBLELOADER Uses ALCATRAZ for Obfuscation — The open-source obfuscator ALCATRAZ has been seen within a new generic loader dubbed DOUBLELOADER, which has been deployed alongside Rhadamanthys Stealer infections starting December 2024. The malware collects host information, requests an updated version of itself, and starts beaconing to a hardcoded IP address (185.147.125[.]81) stored within the binary. "Obfuscators such as ALCATRAZ end up increasing the complexity when triaging malware," Elastic Security Labs said. "Its main goal is to hinder binary analysis tools and increase the time of the reverse engineering process through different techniques; such as hiding the control flow or making decompilation hard to follow." New Formjacking Campaign Targets WooCommerce Sites — Cybersecurity researchers have detected a sophisticated formjacking campaign targeting WooCommerce sites. The malware, per Wordfence, injects a fake but professional-looking payment form into legitimate checkout processes and exfiltrates sensitive customer data to an external server. Further analysis has revealed that the infection likely originated from a compromised WordPress admin account, which was used to inject malicious JavaScript via a Simple Custom CSS and JS plugin (or something similar) that allows administrators to add custom code. "Unlike traditional card skimmers that simply overlay existing forms, this variant carefully integrates with the WooCommerce site's design and payment workflow, making it particularly difficult for site owners and users to detect," the WordPress security company said. "The malware author repurposed the browser's localStorage mechanism – typically used by websites to remember user preferences – to silently store stolen data and maintain access even after page reloads or when navigating away from the checkout page." E.U. Sanctions Stark Industries — The European Union (E.U.) has announced sanctions against 21 individuals and six entities in Russia over its "destabilising actions" in the region. One of the sanctioned entities is Stark Industries, a bulletproof hosting provider that has been accused of acting as "enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber attacks against the Union and third countries." The sanctions also target its CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries was previously spotlighted by independent cybersecurity journalist Brian Krebs, detailing its use in DDoS attacks in Ukraine and across Europe. In August 2024, Team Cymru said it discovered 25 Stark-assigned IP addresses used to host domains associated with FIN7 activities and that it had been working with Stark Industries for several months to identify and reduce abuse of their systems. The sanctions have also targeted Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming in Baltic states and disrupting civil aviation. The Mask APT Unmasked as Tied to the Spanish Government — The mysterious threat actor known as The Mask (aka Careto) has been identified as run by the Spanish government, according to a report published by TechCrunch, citing people who worked at Kaspersky at the time and had knowledge of the investigation. The Russian cybersecurity company first exposed the hacking group in 2014, linking it to highly sophisticated attacks since at least 2007 targeting high-profile organizations, such as governments, diplomatic entities, and research institutions. A majority of the group's attacks have targeted Cuba, followed by hundreds of victims in Brazil, Morocco, Spain, and Gibraltar. While Kaspersky has not publicly attributed it to a specific country, the latest revelation makes The Mask one of the few Western government hacking groups that has ever been discussed in public. This includes the Equation Group, the Lamberts (the U.S.), and Animal Farm (France). Social Engineering Scams Target Coinbase Users — Earlier this month, cryptocurrency exchange Coinbase revealed that it was the victim of a malicious attack perpetrated by unknown threat actors to breach its systems by bribing customer support agents in India and siphon funds from nearly 70,000 customers. According to Blockchain security firm SlowMist, Coinbase users have been the target of social engineering scams since the start of the year, bombarding with SMS messages claiming to be fake withdrawal requests and seeking their confirmation as part of a "sustained and organized scam campaign." The goal is to induce a false sense of urgency and trick them into calling a number, eventually convincing them to transfer the funds to a secure wallet with a seed phrase pre-generated by the attackers and ultimately drain the assets. It's assessed that the activities are primarily carried out by two groups: low-level skid attackers from the Com community and organized cybercrime groups based in India. "Using spoofed PBX phone systems, scammers impersonate Coinbase support and claim there's been 'unauthorized access' or 'suspicious withdrawals' on the user's account," SlowMist said. "They create a sense of urgency, then follow up with phishing emails or texts containing fake ticket numbers or 'recovery links.'" Delta Can Sue CrowdStrike Over July 2024 Mega Outage — Delta Air Lines, which had its systems crippled and almost 7,000 flights canceled in the wake of a massive outage caused by a faulty update issued by CrowdStrike in mid-July 2024, has been given the green light to pursue to its lawsuit against the cybersecurity company. A judge in the U.S. state of Georgia stating Delta can try to prove that CrowdStrike was grossly negligent by pushing a defective update to its Falcon software to customers. The update crashed 8.5 million Windows devices across the world. Crowdstrike previously claimed that the airline had rejected technical support offers both from itself and Microsoft. In a statement shared with Reuters, lawyers representing CrowdStrike said they were "confident the judge will find Delta's case has no merit, or will limit damages to the 'single-digit millions of dollars' under Georgia law." The development comes months after MGM Resorts International agreed to pay $45 million to settle multiple class-action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. Storm-1516 Uses AI-Generated Media to Spread Disinformation — The Russian influence operation known as Storm-1516 (aka CopyCop) sought to spread narratives that undermined the European support for Ukraine by amplifying fabricated stories on X about European leaders using drugs while traveling by train to Kyiv for peace talks. One of the posts was subsequently shared by Russian state media and Maria Zakharova, a senior official in Russia's foreign ministry, as part of what has been described as a coordinated disinformation campaign by EclecticIQ. The activity is also notable for the use of synthetic content depicting French President Emmanuel Macron, U.K. Labour Party leader Keir Starmer, and German chancellor Friedrich Merz of drug possession during their return from Ukraine. "By attacking the reputation of these leaders, the campaign likely aimed to turn their own voters against them, using influence operations (IO) to reduce public support for Ukraine by discrediting the politicians who back it," the Dutch threat intelligence firm said. Turkish Users Targeted by DBatLoader — AhnLab has disclosed details of a malware campaign that's distributing a malware loader called DBatLoader (aka ModiLoader) via banking-themed banking emails, which then acts as a conduit to deliver SnakeKeylogger, an information stealer developed in .NET. "The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said. SEC SIM-Swapper Sentenced to 14 Months for SEC X Account Hack — A 26-year-old Alabama man, Eric Council Jr., has been sentenced to 14 months in prison and three years of supervised release for using SIM swapping attacks to breach the U.S. Securities and Exchange Commission's (SEC) official X account in January 2024 and falsely announced that the SEC approved Bitcoin (BTC) Exchange Traded Funds (ETFs). Council Jr. (aka Ronin, Agiantschnauzer, and @EasyMunny) was arrested in October 2024 and pleaded guilty to the crime earlier this February. He has also been ordered to forfeit $50,000. According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account." FBI Warns of Malicious Campaign Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) is warning of a new campaign that involves malicious actors impersonating senior U.S. federal or state government officials and their contacts to target individuals since April 2025. "The malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior US official in an effort to establish rapport before gaining access to personal accounts," the FBI said. "One way the actors gain such access is by sending targeted individuals a malicious link under the guise of transitioning to a separate messaging platform." From there, the actor may present malware or introduce hyperlinks that lead intended targets to an actor-controlled site that steals login information. DICOM Flaw Enables Attackers to Embed Malicious Code Within Medical Image Files — Praetorian has released a proof-of-concept (PoC) for a high-severity security flaw in Digital Imaging and Communications in Medicine (DICOM), predominant file format for medical images, that enables attackers to embed malicious code within legitimate medical image files. CVE-2019-11687 (CVSS score: 7.8), originally disclosed in 2019 by Markel Picado Ortiz, stems from a design decision that allows arbitrary content at the start of the file, otherwise called the Preamble, which enables the creation of malicious polyglots. Codenamed ELFDICOM, the PoC extends the attack surface to Linux environments, making it a much more potent threat. As mitigations, it's advised to implement a DICOM preamble whitelist. "DICOM's file structure inherently allows arbitrary bytes at the beginning of the file, where Linux and most operating systems will look for magic bytes," Praetorian researcher Ryan Hennessee said. "[The whitelist] would check a DICOM file's preamble before it is imported into the system. This would allow known good patterns, such as 'TIFF' magic bytes, or '\x00' null bytes, while files with the ELF magic bytes would be blocked." Cookie-Bite Attack Uses Chrome Extension to Steal Session Tokens — Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite that employs custom-made malicious browser extensions to steal "ESTAUTH" and "ESTSAUTHPERSISTNT" cookies in Microsoft Azure Entra ID and bypass multi-factor authentication (MFA). The attack has multiple moving parts to it: A custom Chrome extension that monitors authentication events and captures cookies; a PowerShell script that automates the extension deployment and ensures persistence; an exfiltration mechanism to send the cookies to a remote collection point; and a complementary extension to inject the captured cookies into the attacker's browser. "Threat actors often use infostealers to extract authentication tokens directly from a victim's machine or buy them directly through darkness markets, allowing adversaries to hijack active cloud sessions without triggering MFA," Varonis said. "By injecting these cookies while mimicking the victim's OS, browser, and network, attackers can evade Conditional Access Policies (CAPs) and maintain persistent access." Authentication cookies can also be stolen using adversary-in-the-middle (AitM) phishing kits in real-time, or using rogue browser extensions that request excessive permissions to interact with web sessions, modify page content, and extract stored authentication data. Once installed, the extension can access the browser's storage API, intercept network requests, or inject malicious JavaScript into active sessions to harvest real-time session cookies. "By leveraging stolen session cookies, an adversary can bypass authentication mechanisms, gaining seamless entry into cloud environments without requiring user credentials," Varonis said. "Beyond initial access, session hijacking can facilitate lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing permissions or misconfigured roles." 🎥 Cybersecurity Webinars Non-Human Identities: The AI Backdoor You're Not Watching → AI agents rely on Non-Human Identities (like service accounts and API keys) to function—but these are often left untracked and unsecured. As attackers shift focus to this hidden layer, the risk is growing fast. In this session, you'll learn how to find, secure, and monitor these identities before they're exploited. Join the webinar to understand the real risks behind AI adoption—and how to stay ahead. Inside the LOTS Playbook: How Hackers Stay Undetected → Attackers are using trusted sites to stay hidden. In this webinar, Zscaler experts share how they detect these stealthy LOTS attacks using insights from the world's largest security cloud. Join to learn how to spot hidden threats and improve your defense. 🔧 Cybersecurity Tools ScriptSentry → It is a free tool that scans your environment for dangerous logon script misconfigurations—like plaintext credentials, insecure file/share permissions, and references to non-existent servers. These overlooked issues can enable lateral movement, privilege escalation, or even credential theft. ScriptSentry helps you quickly identify and fix them across large Active Directory environments. Aftermath → It is a Swift-based, open-source tool for macOS incident response. It collects forensic data—like logs, browser activity, and process info—from compromised systems, then analyzes it to build timelines and track infection paths. Deploy via MDM or run manually. Fast, lightweight, and ideal for post-incident investigation. AI Red Teaming Playground Labs → It is an open-source training suite with hands-on challenges designed to teach security professionals how to red team AI systems. Originally developed for Black Hat USA 2024, the labs cover prompt injections, safety bypasses, indirect attacks, and Responsible AI failures. Built on Chat Copilot and deployable via Docker, it's a practical resource for testing and understanding real-world AI vulnerabilities. 🔒 Tip of the Week Review and Revoke Old OAuth App Permissions — They're Silent Backdoor → You've likely logged into apps using "Continue with Google," "Sign in with Microsoft," or GitHub/Twitter/Facebook logins. That's OAuth. But did you know many of those apps still have access to your data long after you stop using them? Why it matters: Even if you delete the app or forget it existed, it might still have ongoing access to your calendar, email, cloud files, or contact list — no password needed. If that third-party gets breached, your data is at risk. What to do: Go through your connected apps here: Google: myaccount.google.com/permissions Microsoft: account.live.com/consent/Manage GitHub: github.com/settings/applications Facebook: facebook.com/settings?tab=applications Revoke anything you don't actively use. It's a fast, silent cleanup — and it closes doors you didn't know were open. Conclusion Looking ahead, it's not just about tracking threats—it's about understanding what they reveal. Every tactic used, every system tested, points to deeper issues in how trust, access, and visibility are managed. As attackers adapt quickly, defenders need sharper awareness and faster response loops. The takeaways from this week aren't just technical—they speak to how teams prioritize risk, design safeguards, and make choices under pressure. Use these insights not just to react, but to rethink what "secure" really needs to mean in today's environment. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Users of Whoop’s fitness trackers have been reporting that their Whoop MG fitness trackers are turning unresponsive, in some cases within under an hour of setting them up. Now, the company is apparently replacing the trackers, in some cases before the users even ask, TechIssuesToday reports. Launched alongside the Whoop 5.0 earlier this month, the Whoop MG (which stands for “Medical Grade”) comes with EKG capabilities and blood pressure insights and requires a premium Whoop Life subscription that’s $359 per year. Users started reporting issues with the tracker almost immediately. On May 11th, a user reported in the Whoop community forum that their MG “stopped working overnight after working for 8 hours. No green light, no bluelight nothing. It won’t now pair with the app.” Others replied to say the tracker failed even sooner for them, with one person reporting that it went inert after just half an hour of use. Some also report that their 5.0 has failed. Whoop recommends a few troubleshooting steps — the usual things like making sure your device is charged or trying to reset it — but users in the community thread say it didn’t work. The company appears to be trying to rectify the situation by sending out replacement units, sometimes without users even asking for one, as the Reddit user who posted the screenshot above wrote further down in the thread. The same goes for a user who posted two days ago to say they got the same notification despite having not noticed any problems with their MG. Some in that thread even write that the company replaced their MGs without ever telling them it would be doing so. It’s already been a troubled launch for Whoop. Earlier this month, some users were outraged when Whoop said they would need to add another 12 months onto their memberships to avoid the upgrade fee for the Whoop 5.0. Previously, users only needed to have 6 months left on their subscription to get a Whoop 4.0. The company soon walked its new terms back, posting on Reddit that those who had at least 12 months left would be eligible for an upgrade. Whoop did not immediately respond to The Verge’s request for comment.

Health tech company Whoop is dealing with another headache this week, as some who purchased its new premium Whoop MG fitness tracker report that the device is dying almost immediately.As Tech Issues Today reports, the "medical grade" version of Whoop's newest gadgets are shutting down without warning. They "fail to display any LED lights, refuse to pair with the mobile app, and remain unresponsive even when fully charged," the site says.Some report that Whoop is sending replacement devices, though others say they got the less expensive Whoop 5.0, not the MG. "The sheer volume of complaints suggests a potentially larger quality control issue with the initial batch of 5.0 MG trackers" Tech Issues Today notes.RedditWe reached out to Whoop for comment and will update this story when we hear back.Recommended by Our EditorsThe Whoop 5.0 and Whoop MG add new features like hormone tracking for women, irregular heart activity detection, and revamped sleep tracking, alongside a bigger battery. The company offers its devices via a subscription service; users pay from $199 to $359 a year, and receive free hardware updates when new models are released. However, following the launch of its newest devices, Whoop faced accusations that it failed to honor a promise for device upgrades for those who had been members for at least six months. It required users to pay a $49 to $79 upgrade fee, or extend their subscription by 12 months, to get a newer device.Following backlash, Whoop said it would honor the free upgrade promise for those with more than a year left on their membership. Those with less than a year can extend their membership to receive an upgrade at no additional cost, or pay the one-time upgrade fee.Whoop says the blog post that promised free upgrades after six months was posted in error.

Content warning: this story includes discussion of self-harm and suicide. If you are in crisis, please call, text or chat with the Suicide and Crisis Lifeline at 988, or contact the Crisis Text Line by texting TALK to 741741.A judge in Florida just rejected a motion to dismiss a lawsuit alleging that the chatbot startup Character.AI — and its closely tied benefactor, Google — caused the death by suicide of a 14-year-old user, clearing the way for the first-of-its-kind lawsuit to move forward in court.The lawsuit, filed in October, claims that recklessly released Character.AI chatbots sexually and emotionally abused a teenage user, Sewell Setzer III, resulting in obsessive use of the platform, mental and emotional suffering, and ultimately his suicide in February 2024.In January, the defendants in the case — Character.AI, Google, and Character.AI cofounders Noam Shazeer and Daniel de Freitas — filed a motion to dismiss the case mainly on First Amendment grounds, arguing that AI-generated chatbot outputs qualify as speech, and that "allegedly harmful speech, including speech allegedly resulting in suicide," is protected under the First Amendment.But this argument didn't quite cut it, the judge ruled, at least not in this early stage. In her opinion, presiding US district judge Anne Conway said the companies failed to sufficiently show that AI-generated outputs produced by large language models (LLMs) are more than simply words — as opposed to speech, which hinges on intent.The defendants "fail to articulate," Conway wrote in her ruling, "why words strung together by an LLM are speech."The motion to dismiss did find some success, with Conway dismissing specific claims regarding the alleged "intentional infliction of emotional distress," or IIED. (It's difficult to prove IIED when the person who allegedly suffered it, in this case Setzer, is no longer alive.)Still, the ruling is a blow to the high-powered Silicon Valley defendants who had sought to have the suit tossed out entirely.Significantly, Conway's opinion allows Megan Garcia, Setzer's mother and the plaintiff in the case, to sue Character.AI, Google, Shazeer, and de Freitas on product liability grounds. Garcia and her lawyers argue that Character.AI is a product, and that it was rolled out recklessly to the public, teens included, despite known and possibly destructive risks.In the eyes of the law, tech companies generally prefer to see their creations as services, like electricity or the internet, rather than products, like cars or nonstick frying pans. Services can't be held accountable for product liability claims, including claims of negligence, but products can.In a statement, Tech Justice Law Project director and founder Meetali Jain, who's co-counsel for Garcia alongside Social Media Victims Law Center founder Matt Bergman, celebrated the ruling as a win — not just for this particular case, but for tech policy advocates writ large."With today's ruling, a federal judge recognizes a grieving mother's right to access the courts to hold powerful tech companies — and their developers — accountable for marketing a defective product that led to her child's death," said Jain."This historic ruling not only allows Megan Garcia to seek the justice her family deserves," Jain added, "but also sets a new precedent for legal accountability across the AI and tech ecosystem."Character.AI was founded by Shazeer and de Freitas in 2021; the duo had worked together on AI projects at Google, and left together to launch their own chatbot startup. Google provided Character.AI with its essential Cloud infrastructure, and in 2024 raised eyebrows when it paid Character.AI $2.7 billion to license the chatbot firm's data — and bring its cofounders, as well as 30 other Character.AI staffers, into Google's fold. Shazeer, in particular, now holds a hugely influential position at Google DeepMind, where he serves as a VP and co-lead for Google's Gemini LLM.Google did not respond to a request for comment at the time of publishing, but a spokesperson for the search giant told Reuters that Google and Character.AI are "entirely separate" and that Google "did not create, design, or manage" the Character.AI app "or any component part of it."In a statement, a spokesperson for Character.AI emphasized recent safety updates issued following the news of Garcia's lawsuit, and said it "looked forward" to its continued defense:It's long been true that the law takes time to adapt to new technology, and AI is no different. In today's order, the court made clear that it was not ready to rule on all of Character.AI 's arguments at this stage and we look forward to continuing to defend the merits of the case.We care deeply about the safety of our users and our goal is to provide a space that is engaging and safe. We have launched a number of safety features that aim to achieve that balance, including a separate version of our Large Language Model model for under-18 users, parental insights, filtered Characters, time spent notification, updated prominent disclaimers and more.Additionally, we have a number of technical protections aimed at detecting and preventing conversations about self-harm on the platform; in certain cases, that includes surfacing a specific pop-up directing users to the National Suicide and Crisis Lifeline.Any safety-focused changes, though, were made months after Setzer's death and after the eventual filing of the lawsuit, and can't apply to the court's ultimate decision in the case.Meanwhile, journalists and researchers continue to find holes in the chatbot site's upxdated safety protocols. Weeks after news of the lawsuit was announced, for example, we continued to find chatbots expressly dedicated to self-harm, grooming and pedophilia, eating disorders, and mass violence. And a team of researchers, including psychologists at Stanford, recently found that using a Character.AI voice feature called "Character Calls" effectively nukes any semblance of guardrails — and determined that no kid under 18 should be using AI companions, including Character.AI.Share This Article

A lawsuit against Google and companion chatbot service Character AI — which is accused of contributing to the death of a teenager — can move forward, ruled a Florida judge. In a decision filed today, Judge Anne Conway said that an attempted First Amendment defense wasn’t enough to get the lawsuit thrown out. Conway determined that, despite some similarities to videogames and other expressive mediums, she is “not prepared to hold that Character AI’s output is speech.”The ruling is a relatively early indicator of the kinds of treatment that AI language models could receive in court. It stems from a suit filed by the family of Sewell Setzer III, a 14-year-old who died by suicide after allegedly becoming obsessed with a chatbot that encouraged his suicidal ideation. Character AI and Google (which is closely tied to the chatbot company) argued that the service is akin to talking with a video game non-player character or joining a social network, something that would grant it the expansive legal protections that the First Amendment offers and likely dramatically lower a liability lawsuit’s chances of success. Conway, however, was skeptical.While the companies “rest their conclusion primarily on analogy” with those examples, they “do not meaningfully advance their analogies,” the judge said. The court’s decision “does not turn on whether Character AI is similar to other mediums that have received First Amendment protections; rather, the decision turns on how Character AI is similar to the other mediums” — in other words whether Character AI is similar to things like video games because it, too, communicates ideas that would count as speech. Those similarities will be debated as the case proceeds.While Google doesn’t own Character AI, it will remain a defendant in the suit thanks to its links with the company and product; the company’s founders Noam Shazeer and Daniel De Freitas, who are separately included in the suit, worked on the platform as Google employees before leaving to launch it and were later rehired there. Character AI is also facing a separate lawsuit alleging it harmed another young user’s mental health, and a handful of state lawmakers have pushed regulation for “companion chatbots” that simulate relationships with users — including one bill, the LEAD Act, that would prohibit them for children’s use in California. If passed, the rules are likely to be fought in court at least partially based on companion chatbots’ First Amendment status.This case’s outcome will depend largely on whether Character AI is legally a “product” that is harmfully defective. The ruling notes that “courts generally do not categorize ideas, images, information, words, expressions, or concepts as products,” including many conventional video games — it cites, for instance, a ruling that found Mortal Kombat’s producers couldn’t be held liable for “addicting” players and inspiring them to kill. (The Character AI suit also accuses the platform of addictive design.) Systems like Character AI, however, aren’t authored as directly as most videogame character dialogue; instead, they produce automated text that’s determined heavily by reacting to and mirroring user inputs.“These are genuinely tough issues and new ones that courts are going to have to deal with.”Conway also noted that the plaintiffs took Character AI to task for failing to confirm users’ ages and not letting users meaningfully “exclude indecent content,” among other allegedly defective features that go beyond direct interactions with the chatbots themselves.Beyond discussing the platform’s First Amendment protections, the judge allowed Setzer’s family to proceed with claims of deceptive trade practices, including that the company “misled users to believe Character AI Characters were real persons, some of which were licensed mental health professionals” and that Setzer was “aggrieved by [Character AI’s] anthropomorphic design decisions.” (Character AI bots will often describe themselves as real people in text, despite a warning to the contrary in its interface, and therapy bots are common on the platform.) She also allowed a claim that Character AI negligently violated a rule meant to prevent adults from communicating sexually with minors online, saying the complaint “highlights several interactions of a sexual nature between Sewell and Character AI Characters.” Character AI has said it’s implemented additional safeguards since Setzer’s death, including a more heavily guardrailed model for teens.Becca Branum, deputy director of the Center for Democracy and Technology’s Free Expression Project, called the judge’s First Amendment analysis “pretty thin” — though, since it’s a very preliminary decision, there’s lots of room for future debate. “If we’re thinking about the whole realm of things that could be output by AI, those types of chatbot outputs are themselves quite expressive, [and] also reflect the editorial discretion and protected expression of the model designer,” Branum told The Verge. But “in everyone’s defense, this stuff is really novel,” she added. “These are genuinely tough issues and new ones that courts are going to have to deal with.”See More:

Macworld If you’re on the hunt for an iPhone but your budget doesn’t quite stretch to Apple’s newest models, buying a used or refurbished iPhone is a great way to pick up a bargain. While this might sound like a risky option, it doesn’t have to be. Specialist retailers offer warranties and check devices before reselling them. We’ll help you find a reputable source for second-hand iPhones. Now that Apple has launched the iPhone 16 series, you can get excellent deals on older phones including the 15-, 14-, and maybe even the 13- series. (Apple still sells the standard iPhone 15 models, but has discontinued the 15 Pro and Pro Max, which means refurbished is the way to go with those models.) The older iPhone you’re prepared to buy, the bigger the savings you can enjoy. In this article, we cover everything there is to know about safely buying a refurbished iPhone, whether you’re looking to buy SIM-free or on contract. Best Refurbished iPhone deals You can save money buying the iPhone 15 from Apple’s refurbished store and from resellers such as BackMarket or Amazon Renewed. We have details of all the best resellers of refurbished iPhones below. Just be aware that the resellers can get a bit creative with the original pricing. Refurbished iPhone 15 deals U.S. Apple refurbished store: Refurbished iPhone 15, 128GB, $619 (save $110) Apple refurbished store: Refurbished iPhone 15 Plus, 128GB, $699 (save $130) Apple refurbished store: Refurbished iPhone 15 Pro, 512GB, $1,019 (save $180) Apple refurbished store: Refurbished iPhone 15 Pro Max, 512GB, $1,099 (save $200) BackMarket: Refurbished iPhone 15 Pro, 128GB, $658 BackMarket: Refurbished iPhone 15 Pro Max, 256GB, $772 Amazon Renewed: iPhone 15 Pro Max, 256GB, $749 Refurbished iPhone 15 deals U.K. Apple refurbished store: Refurbished iPhone 15, 128GB, £589 (save £110) Apple refurbished store: Refurbished iPhone 15 Plus, 128GB, £779 (save £140) Apple refurbished store: Refurbished iPhone 15 Pro, 256GB, £869 (save £150) Apple refurbished store: Refurbished iPhone 15 Pro Max, 256GB, £949 (save £170) BackMarket: Refurbished iPhone 15 Pro, 128GB, £586 BackMarket: Refurbished iPhone 15 Pro Max, 256GB, £628 Amazon Renewed: iPhone 15 Pro Max, 256GB, £730 Screenshot Older Refurbished iPhone deals U.K. In Apple’s UK refurbished store you can also get the following iPhones: iPhone 14-series, iPhone 13 series, including: Apple refurbished store: Refurbished iPhone 13 mini, 512GB, £639 (save £340) Apple refurbished store: Refurbished iPhone 14 Pro, 256GB, £759 (save £240) You can find more deals on specific iPhone handsets in our iPhone deals round ups: iPhone 16 deals U.S. / iPhone 16 deals U.K. – for the best prices on Apple’s newest series of iPhones. iPhone 15 deals U.S. / iPhone 15 deals U.K. – including deals on iPhone 15 Pro and Pro Max which Apple no longer sells. iPhone 14 deals – including refurbished deals. iPhone 13 deals – including refurbished deals. Best place to buy a refurbished iPhone Apple itself should be your first port of call, if only to establish a benchmark of what is reasonable to pay for your chosen handset: check to see if the Apple Refurbished Store has the iPhone model you’re looking for. (That’s the U.S. store. British readers should try the U.K. Apple Refurbished Store.) At time of writing Apple is selling refurbished models of the iPhone 15, 15 Plus, 15 Pro and 15 Pro Max. Apple’s refurbished store tends to be the most expensive place to buy refurbished iPhones–although it’s still significantly cheaper than buying new. (The standard reduction on the Apple Refurbished Store is 15 percent.) But there are advantages that come with this higher price. The refurb phones all come with the same one-year limited warranty that you’ll find on the brand-new versions, for example. And it’s worth noting that any parts used in the refurb will be official Apple ones, and all devices come with brand-new batteries. It’s worth shopping around, however, to make sure you’re getting a good deal. There are plenty of other companies that make a living from refurbishing and selling iPhones. Here are some of the more prominent resellers of refurbished and used iPhones: Refurbished iPhone sellers in the U.S. Back Market: You get 30 days to change your mind and a 12-month warranty… or occasionally more. Decluttr: A popular destination for refurbished devices, often with sales that slash even more money off. You can also trade in any of your old tech, gadgets, and media (including books and CDs) to get steeper discounts. The iOutlet on eBay: Offers competitive pricing for refurbished devices and also accepts other gadgets such as iPads, Apple Watches, and gaming consoles.  Amazon Renewed Store: This site’s greatest benefit is that purchases are all backed by Amazon’s standard returns policy and its “Renewed Guarantee” lets you get a refund or replacement within 1 year of receiving your product. Best Buy: Best Buy doesn’t offer a great deal of information on pre-owned iPhones’ condition, but you can return within 14 days if the item is “unopened or defective in any way.” Walmart: Walmart doesn’t sell refurbished iPhones directly; rather, they are sourced from other sellers. Return policies vary from seller to seller, but there are minimum requirements that apply universally. Refurbished iPhone sellers in the U.K. Back Market: You get 30 days to change your mind and a 12-month warranty… or occasionally more. Music Magpie: The UK version of Decluttr and a good place to start looking for refurbished iPhones. You may find that sales reduce the price still further. Hoxton Macs: Don’t let the Mac in the name fool you. Hoxton Macs has started selling refurbished iPhones. Reboxed: Pledges that devices “are fully tested and in perfect working order.” All come with a 12-month no quibble warranty. The iOutlet or The iOutlet on eBay: Offers competitive pricing for refurbished devices and also accepts other gadgets such as iPads, Apple Watches, and gaming consoles.  Amazon Renewed Store: While you can’t really sell on Amazon Renewed unless you’re a business, those looking to buy a refurbished iPhone Amazon Renewed have plenty of options to choose from. Its greatest benefit is that purchases are all backed by Amazon’s standard returns policy and its “Renewed Guarantee” lets you get a refund or replacement within 1 year of receiving your product. Envirofone: Also allows you to trade in your old phone for credit towards purchasing a refurbished phone. 4Gadgets: Offers a 12-month warranty for all online orders. Smartfone Store: Look out for the additional 10 percent discount for students and young people. Refurb-Phone: Like most refurb sellers, this site offers a 12-month warranty. Less commonplace is its policy of allowing returns within 14 days if you simply change your mind. The Big Phone Store: Says it ensures refurb phones “are thoroughly tested, repaired, and cleaned before being sent out.” Backs this with a 12-month warranty. Laptops Direct: You get a 12-month warranty on parts and labor. Watch out for slightly confusing grading system: “A3,” for example, means “Average condition.” Where to buy a refurbished iPhone on contract You can pick up refurbished phones on contract as well from the following carriers and resellers: US carriers Verizon AT&T T-Mobile UK carriers GiffGaff Mobiles.co.uk O2 Like New Vodafone Carphone Warehouse Fonehouse  Outside of specialist retailers, there’s also eBay and eBay UK (just be sure to check the seller’s feedback and read the descriptions carefully), and, in the UK, CeX. Buying older iPhones new on contract Another way to dampen the financial impact of buying a new iPhone is to go down the tried and tested route of contracts offered by mobile providers. You’ll find older iPhone models in the online stores of many networks. Prices change all the time, so we’d recommend reading our Best iPhone deals guide on a regular basis to see which offers are currently available. Should I buy a refurbished iPhone? What is refurbished? You might be concerned about buying a refurbished handset, thinking that it would be like buying a second-hand iPhone, but there’s no reason to be worried. Remember: refurbished and second-hard aren’t the same thing. Refurbished iPhones are pre-owned but are wiped, tested, and repaired to work like new.  The iPhones Apple sells in the Refurbished Store were returned to Apple for a variety of reasons: The previous owner could have exercised their consumer rights and returned the handset unused within 14 days (as per Apple’s refund and exchange policy). The iPhone may have been used as a demonstration model. The iPhone may have been returned to Apple due to a fault. The third point on that list may concern you, but you can be sure that Apple will have identified and fixed any faults before reselling the device. The company says refurbished products undergo “full functional testing” and are provided with “genuine Apple part replacements (if necessary).” They also get “a thorough cleaning,” incidentally. There are plenty of benefits to buying a refurbished iPhone: You get a one-year warranty. You get 90 days of tech support. Because you’re buying from Apple directly, there are no shipping costs and free returns. You can also take advantage of Apple’s 14-day returns policy if you change your mind. (Note however that Apple isn’t the only seller to offer such a policy.) Refurbished vs second-hand: What’s the difference? If it’s not already clear, a refurbished iPhone is tested and repaired so the handset works like new (or as close to new as possible). A second-hand iPhone, on the other hand, is simply sold as is, which means the device may not last as long, and may have small imperfections or defects. The battery in particular will be a worry in the long term. There are other risks to buying second-hand too. If the previous owner hasn’t dissociated their Apple ID from the device you may get permanently locked out of the iPhone. Unfortunately, Apple’s customer service wouldn’t be able to help you unlock the phone either, as the company has strict security policies. Such a situation would be less of a concern if you know and can easily contact the previous owner (and they remember their Apple ID details), but we’d prefer avoiding such complications to start with. This is just another reason why buying refurbished is a more reliable route to go if you did want to pick up a previously owned iPhone. What does refurbished Grade A mean? When you shop refurbished you might see grade scores such as A, B, or C; this indicates the condition of the phone. Is it dinged up? Does it have scratches? Or is it completely blemish-free and pristine? The grade gives you a general idea. We say “general” because these grades aren’t set by an independent body, which means they can vary from retailer to retailer. This is how the grades usually break down: Grade A: Looks like new or has very few signs of wear Grade B: Might have some minor scratches and some wear Grade C: Looks used and has obvious signs of wear But some sites go with Fair, Good, and Excellent or some other variation. (One site we’ve visited appears to grade everything as A plus a number–so a comparatively poor handset would be rated as A3. This may strike some readers as a little confusing.) Needless to say, Grade A/A1/Excellent refurbished devices will be more expensive than Grade C, but you’ll still be paying far less than you would for a brand-new device.  Pay attention to refurbished warranties  Given that the quality of refurbished iPhone devices can vary from retailer to retailer, it’s important to pay attention to the warranty. How long is the phone covered? The warranty allows you to get help or free repairs from the seller if you run into any issues after purchase. Retailers typically offer a year, and many allow “quibble-free” returns if you change your mind within 14 days. Check the fine print. More refurbished Apple guides Should I buy a refurbished Apple Watch? Why you should buy a refurbished Mac Should I buy a refurbished iPad & best deals Where to buy a refurbished MacBook or Mac