Now would be a good time to update all your Bluetooth audio devices. On Thursday, Wired reported on a security flaw in 17 headphone and speaker models that could allow hackers to access your devices, including their microphones. The vulnerability stems from a faulty implementation of Google’s one-tap (Fast Pair) protocol.

Security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group, who discovered the security hole, named the flaw WhisperPair. They say a hacker within Bluetooth range would only require the accessory’s (easily attainable) device model number and a few seconds.

“You’re walking down the street with your headphones on, you’re listening to some music. In less than 15 seconds, we can hijack your device,” KU Leuven researcher Sayon Duttagupta told Wired. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.” The researchers notified Google about WhisperPair in August, and the company has been working with them since then.

Fast Pair is supposed to only allow new connections while the audio device is in pairing mode. (A proper implementation of this would have prevented this flaw.) But a Google spokesperson told Engadget that the vulnerability stemmed from an improper implementation of Fast Pair by some of its hardware partners. This could then allow a hacker’s device to pair with your headphones or speaker after it’s already paired with your device.

“We appreciate collaborating with security researchers through our Vulnerability Rewards Program, which helps keep our users safe,” a Google spokesperson wrote in a statement sent to Engadget. “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting. As a best security practice, we recommend users check their headphones for the latest firmware updates. We are constantly evaluating and enhancing Fast Pair and Find Hub security.”

The researchers created the video below to demonstrate how the flaw works

In an email to Engadget, Google said the steps required to access the device’s microphone or audio are complex and involve multiple stages. The attackers would also need to remain within Bluetooth range. The company added that it provided its OEM partners with recommended fixes in September. Google also updated its Validator certification tool and its certification requirements.

The researchers say that, in some cases, the risk applies even to those who don’t use Android phones. For example, if the audio accessory has never been paired with a Google account, a hacker could use WhisperPair to not only pair with the audio device but also link it to their own Google account. They could then use Google’s Find Hub tool to track the device’s (and therefore your) location.

Google said it rolled out a fix to its Find Hub network to address that particular scenario. However, the researchers told Wired that, within hours of the patch’s rollout, they found a workaround.

The 17 affected devices are made by 10 different companies, all of which received Google Fast Pair certification. They include Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech and Google. (Google says its affected Pixel Buds are already patched and protected.) The researchers posted a search tool that lets you see if your audio accessories are vulnerable.

In a statement sent to Engadget, OnePlus said it’s investigating the issue and “will take appropriate action to protect our users’ security and privacy.” We also contacted the other accessory makers and will update this story if we hear back.

The researchers recommend updating your audio devices regularly. However, one of their concerns is that many people will never install the third-party manufacturer’s app (required for updates), leaving their devices vulnerable.

The full report from Wired has much more detail and is worth a read.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/flaw-in-17-google-fast-pair-audio-devices-could-let-hackers-eavesdrop-194613456.html?src=rss

After a dozen years of keeping subscription prices stable, Spotify has issued three price hikes in 2.5 years.

Spotify informed subscribers via email today that Premium monthly subscriptions would go from $12 to $13 per month as of users’ February billing date. Spotify is already advertising the higher prices to new subscribers.

Although not explicitly mentioned in Spotify’s correspondence, other plans are getting more expensive, too. Student monthly subscriptions are going from $6 to $7. Duo monthly plans, for two accounts in the same household, are going from $17 to $19, and Family plans, for up to six users, are moving from $20 to $22.

Read full article

Comments

DesScorp writes: CNBC reports that new data from the National Student Clearinghouse indicates that enrollment growth in four year degree programs is slowing down, while growth in two year and certification programs is accelerating: Enrollments in undergraduate certificate and associate degree programs both grew by about 2% in fall 2025, while enrollment in bachelor’s degree programs rose by less than 1%, the report found. Community colleges now enroll 752,000 students in undergraduate certificate programs — a 28% jump from just four years ago.

Overall, undergraduate enrollment growth was fueled by more students choosing to attend community college, the report found. “Community colleges led this year with a 3% increase, driven by continued rising interest in those shorter job-aligned certificate programs,” said Matthew Holsapple, the National Student Clearinghouse Research Center’s senior director of research.

For one thing, community college is significantly less expensive. At two-year public schools, tuition and fees averaged $4,150 for the 2025-2026 academic year, according to the College Board. Alternatively, at four-year public colleges, in-state tuition and fees averaged $11,950, and those costs at four-year private schools averaged $45,000. A further factor driving this new growth is that Pell Grants are now available for job-training courses like certifications.

Read more of this story at Slashdot.

OpenAI is once again being accused of failing to do enough to prevent ChatGPT from encouraging suicides, even after a series of safety updates were made to a controversial model, 4o, which OpenAI designed to feel like a user’s closest confidant.

It’s now been revealed that one of the most shocking ChatGPT-linked suicides happened shortly after Sam Altman claimed on X that ChatGPT 4o was safe. OpenAI had “been able to mitigate the serious mental health issues” associated with ChatGPT use, Altman claimed in October, hoping to alleviate concerns after ChatGPT became a “suicide coach” for a vulnerable teenager named Adam Raine, the family’s lawsuit said.

Altman’s post came on October 14. About two weeks later, 40-year-old Austin Gordon, died by suicide between October 29 and November 2, according to a lawsuit filed by his mother, Stephanie Gray.

Read full article

Comments

The second season of Amazon’s excellent Fallout show is currently airing, but the company is already looking to expand its programming around the popular franchise. Prime Video has greenlit a unscripted reality show titled Fallout Shelter. It will be a ten-episode run with Studio Lambert, the team behind reality projects including Squid Game: The Challenge and The Traitors, as its primary producer. Bethesda Game Studios’ head honcho Todd Howard is attached as an executive producer.

Amazon’s description of Fallout Shelter is: “Across a series of escalating challenges, strategic dilemmas and moral crossroads, contestants must prove their ingenuity, teamwork and resilience as they compete for safety, power and ultimately a huge cash prize.”

It seems fitting that the producer is the same as Squid Game: The Challenge, where a show critiquing capitalism is turned into a competition about winning money. A reality show sounds like the sort of thing you’d find in a Fallout game side quest accompanied by pointed commentary about greed rather than an activity people of the Wasteland would take seriously. Maybe the new series will be an interesting mix of survival skills and dark humor that feels true to the Fallout ethos. But, and I say this as a big viewer of reality shows, I’m not holding my breath.

The name echos the free-to-play mobile game Bethesda released in 2015. Fallout Shelter lets people build and improve their out Vault-Tec residence, managing the resources for a growing cadre of underground survivors. It seems pretty likely that there will be some type of tie-in between the game and the show, but any details about that might pop up closer to when the program is ready to air. It’s currently casting, and no release timeline has been shared.

This article originally appeared on Engadget at https://www.engadget.com/entertainment/tv-movies/amazon-is-making-a-fallout-shelter-competition-reality-tv-show-190151855.html?src=rss

Sen. Elizabeth Warren (D-Mass.) and 10 other Democratic members of Congress today urged the Federal Trade Commission to investigate Trump Mobile’s broken promises related to Trump phone delivery dates and claims that it is “made in the USA.”

The request isn’t likely to get very far. Trump declared early in his second term that independent agencies like the FTC may no longer operate independently from the White House, and FTC Chairman Andrew Ferguson has backed Trump’s claim of authority over historically independent agencies. The Supreme Court appears likely to approve Trump’s firing of an FTC Democrat, giving him expanded power over the agency.

The letter, led by Warren and other lawmakers, was sent to Ferguson. “We write today regarding questions about false advertising and deceptive practices by Trump Mobile, and to seek information on how the Federal Trade Commission (FTC) intends to address any potential violations of consumer protection law given the inherent conflicts of interest presented by the company’s relationship to President Donald Trump,” the letter said.

Read full article

Comments

An anonymous reader shares a report: Microsoft’s library of books is so heavy that it once caused a campus building to sink, according to an unproven legend among employees. Now those physical books, journals, and reports, and many of Microsoft’s digital subscriptions to leading US newspapers, are disappearing in a shift described inside Microsoft as an “AI-powered learning experience.”

Microsoft started cutting back on its employee subscriptions to news and reports services in November, with some publishers receiving an automated email cancellation of a contract. […] Strategic News Service (SNS), which has provided global reports to Microsoft’s roughly 220,000 employees and executives for more than 20 years, is no longer part of Microsoft’s subscription list.

Read more of this story at Slashdot.

Last week, news about the adoption rates for Apple’s iOS 26 update started making the rounds. The new update, these reports claim, was being installed at dramatically lower rates than past iOS updates. And while we can’t infer anything about why people might choose not to install iOS 26, the conclusion being jumped to is that iPhone users are simply desperate to avoid the redesigned Liquid Glass user interface.

The numbers do in fact look bad: Statcounter data for January suggests that the various versions of iOS 26 are running on just 16.6 percent of all devices, compared to around 70 percent for the various versions of iOS 18. The iOS 18.7 update alone—released at the same time as iOS 26.0 in September for people who wanted the security patches but weren’t ready to step up to a brand-new OS—appears to be running on nearly one-third of all iOS devices.

Those original reports were picked up and repeated because they tell a potentially interesting story of the “huge if true” variety: that users’ aversion to the Liquid Glass design is so intense and widely held that it’s actively keeping users away from the operating system. But after examining our own traffic numbers, as well as some technical changes made in iOS 26, it appears as though Statcounter’s data is dramatically undercounting the number of iOS 26 devices out in the wild.

Read full article

Comments

If you receive a warning on a LinkedIn post that your account has been restricted, don’t engage with it. Scammers are using LinkedIn branding in official-looking “reply” comments to spread phishing links intended to harvest users’ login credentials.

As reported by BleepingComputer, this impersonation campaign relies on fake company pages and LinkedIn’s official link shortener to trick users into “verifying” their identities on a domain run by threat actors. Here’s what to look for.

How LinkedIn reply comment phishing works

Scammers are replying to posts on LinkedIn with messages claiming that users have in some way violated the platform’s policies. The comments include a link, which users are urged to click to prevent their accounts from being further restricted or suspended.

In some cases, the link’s preview text states “We take steps to protect your account when we detect signs of potential unauthorized access. This may include logins from unfamiliar locations or…” which may convince users to overlook the link itself, which clearly does not lead to a page on a valid LinkedIn domain. In others, the scammers have further masked the phishing site using LinkedIn’s official URL shortener, lnkd.in, which is even less likely to raise suspicion, especially if the link preview doesn’t generate on certain devices.

If you click through the link, you’ll land on a phishing page that uses LinkedIn branding and contains more information about the supposed account restriction with a button to “Verify your identity.” That leads to another page that closely spoofs LinkedIn’s standard sign-in interface and is designed to steal your credentials.

The reply comments themselves utilize LinkedIn’s logo and branding and are connected to company pages with variations on the platform’s name—”Linked Very,” for example. These are obviously fake at first glance, as they don’t have any of the robust content (such as posts, employees, or followers) you’d expect from the real LinkedIn. But users could feasibly follow the phishing link without further investigation into the commenter.

Don’t interact with urgent reply comments on LinkedIn

As always, any urgent message or comment about your account security or status, no matter how official-sounding, should raise red flags. A second look at these replies make it clear that they are not from the real LinkedIn, which won’t send communication about account or policy violations in a public manner nor urge you to click links in comments or private messages.