Late last week, Twitter announced that it would no longer allow users to secure their accounts using SMS-based two-factor authentication (2FA) unless users paid for its Twitter Blue subscription—a move that’s baffled security experts. It’s especially confusing because SMS 2FA is widely considered to be one of the less secure multi-factor authentication options. Fortunately, Twitter will still allow anyone to use other 2FA options, including authentication apps and physical security keys. Here’s how to switch away from SMS 2FA.

Physical security keys are one of the most secure methods of multi-factor authentication. But they’re not just for logging in to Twitter. You can also unlock your iPhone using a physical key in just a few steps. Unlocking a device isn’t the only security issue iPhone users need to worry about. Research published this week details a new class of bugs that affected Apple’s iOS and macOS that could have potentially allowed an attacker to access a target’s message, photos, and call histories. So if you haven’t updated to the latest version of those operating systems, now is the time.

If anyone knows what it’s like to be targeted by hackers, it’s Ukraine. Over the past year, the country’s systems have faced an unprecedented Russian bombardment of data-destroying “wiper” malware, according to multiple cybersecurity firms. Researchers say Russia unleashed more wipers on Ukraine than at any point in its long-running cyberwar against its neighbor. The only upside—if you can call it that—is that the newly discovered wipers are less destructive than earlier Russian wipers, especially compared to NotPetya, which Russia unleashed on Ukraine in 2017. The malware spread around the world, causing a still-unmatched $10 billion in damage.

In addition to cyberattacks, Russia’s war has also severely impacted Ukraine’s electric grid, which has caused blackouts and internet outages. To keep themselves online and connected to each other and the world, Ukrainians have increasingly turned toward high-capacity lithium-ion batteries to keep cell phone towers online when Russia attacks Ukraine’s electric grid. 

Elsewhere in the world, China hawks in the US Congress continue to gather support for a nationwide ban on TikTok, which is owned by China-based ByteDance. The intense focus on a single app, which TikTok critics claim is a national security threat, has some wondering why lawmakers care so much about Americans’ privacy when it comes to TikTok but not US-based tech firms. The answer? Silicon Valley is our friend, China isn’t.

That notion doesn’t always ring true, however. Mozilla researchers this week say they found rampant inaccuracies in the privacy claims app developers make on Google Play’s Data Safety labels. Facebook received a “poor” grade from Mozilla, while Google’s YouTube, Gmail, and Google Maps apps ranked as “needs improvement.” 

But that’s not all. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Tuesday, TechCrunch reported that the US Department of Defense had secured an unprotected server that had been leaking internal US military emails to anyone who knew where to look. The server was hosted on Microsoft’s Azure and was part of an internal government mailbox system that stored terabytes of internal military emails. According to TechCrunch, a simple misconfiguration allowed anyone who knew the server’s IP address access the sensitive data using only a web browser—no password needed.

The exposed server was discovered by security researcher Anurag Sen, who provided the details to TechCrunch. The data had been exposed for two weeks, but it’s unclear if anyone other than Sen accessed it while it was available.