The Proton Blog

If you don’t control your data, who does? A European strategist explains

Alanna Alexander — Fri, 15 May 2026 17:00:06 GMT

“What’s the problem?”

That was the response Austrian data strategist Fritz Fahringer got when he raised concerns about companies using private emails to train AI systems when he spoke to an employee at a major US tech company.

The exchange stayed with him. It reinforced something he had already seen firsthand: In parts of the global tech ecosystem, access to customer data is more than a technical capability. It’s a business model.

To Fahringer, that represents a growing breach of trust between technology providers and the organizations that depend on them.

Fahringer, who previously led the development of datahub.tirol — one of Europe’s first trust-based regional data spaces, has spent years designing secure data-sharing systems and digital infrastructure for businesses and public institutions.

He saw firsthand how uncertainty over who can access, control, or benefit from data has held organizations back. It has slowed innovation, increased risk, and made leaders hesitant to adopt new technologies.

Fahringer isn’t alone in questioning these assumptions. For many European organizations, the possibility that providers may access, analyze, or monetize sensitive information is becoming a practical business risk.

Could a provider processes or transfers data in a way that conflict with GDPR or local regulations, the company using the tool may still be responsible? Could sensitive customer data, product plans, negotiations be exposed, accessed internally by the provider, or used in unintended ways? Could their data might be used to train models or improve services that ultimately benefit the provider or even competitors?

These are the concerns that bring businesses to VALTYROL, Fahringer’s business that is singularly focused on helping decision-makers take a more intentional approach to how their data is handled.

In this conversation, we speak to him about how breaking away from inherited tech dependencies — and owning the systems your data flows through — often begins with everyday tools like email and meetings

Let’s start with the fundamentals. Why should companies question who they depend on to run their technology?

Because those decisions have long-term consequences. If you rely heavily on providers whose priorities or legal environments you don’t control, you can gradually lose strategic flexibility and visibility over how your data is used.

In the past, it was sometimes difficult to explain why sovereignty matters. Many people didn’t really think about where their data was stored or who ultimately had access to it.

But in the age of AI — and also with the current geopolitical tensions — people are starting to understand that data is a strategic resource. If your data is stored and processed by companies outside your jurisdiction, you lose a certain level of control over how it can be used.

That’s why many organizations in Europe are beginning to rethink their dependencies. They want to understand who operates their infrastructure and what happens to their data.

What’s stopping businesses from breaking away from default reliance on global technology providers?

When I started my own company, I wanted to do things differently from the beginning.

My digital tools were scattered across many providers — Gmail, different cloud services, a VPN from another company. Most of them were based in the United States.

I decided to move everything into a more sovereign setup. I switched my email, password manager, VPN, and cloud storage to Proton.

It was important for me to bring everything together in one ecosystem that aligns with the values I talk about professionally.

But I know this well: Moving your entire IT infrastructure at once is very difficult. Most companies have built their systems over many years.

Sovereignty has to happen step by step. Some of the easiest places to start are communication tools — email, meetings, and collaboration platforms. These are areas where companies can adopt more sovereign solutions without rebuilding their entire IT architecture.

Over time, those decisions add up to a more independent and resilient digital infrastructure.

Why are tools like private email, VPNs, and secure meetings important for businesses today?

Businesses shouldn’t have to choose between usability and privacy.

A lot of work today happens outside the office — on trains, in cafés, or while traveling. In those situations, you’re often connecting through public networks, so using a VPN is a simple way to protect your connection.

But communication tools are just as important. Email and video meetings are where a lot of sensitive information is exchanged.

When you look at the common meeting tools, each one comes with a trade-off. Zoom has limitations on free calls. Microsoft Teams can be difficult to use. Google Meet works well, but then your data sits inside Google’s ecosystem.

So in many cases you’re choosing between different disadvantages.

What I liked about Proton Meet is that it removes that trade-off. It’s simple to use, and at the same time it respects privacy. For me, that combination is very important.

What made Proton stand out compared to the tools you were using before?

What stood out to me was that Proton offers a complete ecosystem.

With many services, you get only one piece — maybe email, or maybe storage — and everything else comes from another provider. Over time you end up with a fragmented setup.

Proton offered email, Drive, VPN, password management, and other tools within the same privacy-focused system. For a small business, that combination is very powerful.

It allowed me to move away from a patchwork of different services and consolidate everything under a provider that prioritizes privacy.

How do clients or partners react when they see that you’re using Proton?

Often people notice the Proton email address and ask about it.

They say something like, “Oh, you really take this seriously.”

For me, it’s not about selling Proton or convincing people to switch. But it shows that I try to live by the principles I talk about — especially around data sovereignty. When people see my Proton email, they realize I take sovereignty seriously.

It becomes a signal that these values are not just theoretical.

What advice would you give to European businesses that want to take more control over their data?

Moving your entire IT infrastructure at once is very difficult. Most companies have built their systems over many years.

But sovereignty can happen step by step.

Many European businesses are curious about AI, but at the same time they are cautious about how their data is used.

When data goes into large platforms outside Europe, companies often feel that they lose control over it. They worry that the data could be used to train models, generate value somewhere else, or even benefit competitors.

One practical approach is to start building a more sovereign stack over time. For example, I combine regional providers with European privacy-focused tools. My website is hosted with an Austrian provider that I can reach and trust locally, while Proton provides the communication infrastructure — email, storage, meetings, and VPN.

This kind of setup allows companies to keep more control over their data while still using modern digital tools.

You don’t have to change everything overnight. But each step toward more trusted infrastructure helps build a more independent and resilient digital environment.

How to build a security awareness program in your organization

Kate Menzies — Fri, 15 May 2026 15:16:02 GMT

Most organizations understand that people play a major role in cyber risk. Far fewer have built a security awareness training program that genuinely changes behavior.

Human-related security risk is rarely one dramatic incident. Realistically, it appears in ordinary moments: an employee clicks a convincing phishing email, reuses a password across business tools, shares a login in a chat, or ignores a two-factor authentication (2FA) request because it feels like an interruption rather than a protective step.

Over time, those everyday decisions determine the organization’s exposure. In the UK, the broader threat picture makes that impossible to treat as a minor issue. The UK government’s report Cyber Security Breaches Survey 2025 found that half of businesses suffered a cyber security incident or breach in the previous 12 months, and phishing remained the most common type of cyber crime among affected businesses.

For HR leaders, CISOs, COOs, IT managers and security teams, that makes security awareness training much more than just a compliance exercise. It’s how businesses reduce preventable risk. The challenge is that many programs are still built around just completing exercises rather than actually changing behavior. Team members watch an annual video, tick a box, and return to the same habits that created the risk in the first place.

A more effective approach treats awareness as part of workplace culture. It’s reinforced over time, shaped by role, backed by usable policies, and supported by tools that make the secure choice easier to follow.

We’ll explain what an effective security awareness program actually looks like, why so many organizations get it wrong, and how to build one that improves day-to-day behavior rather than simply documenting that training happened.

Why security awareness training fails in most organizations

Security awareness training often fails because it is treated as an event, instead of as a system. In many organizations, the program consists of an annual compliance module, a short quiz, and little else. Staff are expected to absorb generic advice once a year and then apply it consistently across hundreds of real world workflows, tools, and decisions. This just isn’t enough to change behavior in a lasting way.

The problem is not that awareness training lacks value. It is that many programs are outdated or too detached from how people actually work. They rely on abstract reminders, while the real risks appear in inboxes, shared drives, password resets, urgent requests from managers, and day-to-day access decisions. If the training does emulate what people actually see or do every day, they’re unlikely to retain or apply it.

Training programs should include induction and refresher training for all staff on data protection and information governance, while awareness raising should use regular communication methods to keep information governance, data protection, and information security visible over time. That points to a continuous model rather than a single annual intervention.

Another reason programs fail is that they focus too narrowly on what employees should not do, while ignoring the root cause of bad habits. Telling staff not to reuse passwords helps in theory, but it does little if the business has not given them a secure, practical way to create, store, and share credentials. Telling them how to spot phishing is useful, but less effective if reporting suspicious messages is unclear or cumbersome.

What a real security awareness program looks like

A real security awareness program is not something employees complete once and forget. It is an ongoing set of habits, expectations, and safeguards that helps people make better security decisions over time.

This begins with continuity. Use training resources designed to complement existing policies and procedures. They should cover practical areas such as strong passwords, BYOD best practices, phishing, and incident reporting. That mix is useful because effective awareness does not stop at one topic. It should reflect the full set of routine actions that shape security in real workplaces.

But continuity alone is not enough. The program also needs to reflect the real differences in how teams encounter risk.

An effective program also needs to be role-specific. A finance team member handling payment requests does not face the same day-to-day risk as a marketing manager sharing social accounts, or an HR lead managing employee records. Generic advice has its place, but it works better when followed by training relevant to the systems, data, and attack patterns most relevant to each group.

The next component is practice. Employees do not develop better judgement only by reading rules. They improve through repeated exposure to realistic scenarios: phishing simulations, reporting exercises, access reviews, and short reminders tied to actual tools or workflows. Simulated attacks are particularly useful because they test whether the program is affecting behavior in the moments that matter, rather than only in a quiz environment.

Clear security and password policies are just as important. Staff need to know how credentials should be created, stored, shared, and removed when no longer needed, how suspicious messages should be reported, when 2FA is required, and what to do if they think they have made a mistake.

Finally, a real program treats security as a shared workplace norm rather than a specialized IT concern. That means managers reinforce it, leaders model it, and teams talk about it as part of how the organization operates day to day. Building that kind of culture takes more than a policy document, but it is one of the strongest ways to reduce repeated human error over time.

Proton’s guide on small business cyber security culture in the workplace is helpful here because it frames awareness not as a fear-based campaign, but as part of how a business works every day.

Why phishing and credential abuse belong at the center of the program

If a security awareness program tries to cover everything equally, it can lose focus. Most organizations are better served by starting with the risks most likely to produce real damage.

Phishing belongs near the top of that list. The UK government’s report Cyber Security Breaches Survey 2025 found that phishing remained the most prevalent type of attack vector among businesses that experienced cyber crime, affecting 93% of those businesses. That reflects a wider reality across UK businesses, where phishing remains one of the most common attack methods.

Phishing rarely ends with the message itself. In many organizations, the real damage begins once stolen credentials are used to access accounts, exploit password reuse, move into other systems, or take advantage of shared logins that were never tightly controlled.

Businesses need to use a layered approach. It needs to be harder for attackers to reach users and easier for users to identify and report suspected phishing messages. This protects organizations from the effects of undetected phishing emails and helps them respond quickly to incidents.

A strong security awareness program should reflect that same logic. Employees need to be able to recognize suspicious behavior, but they also need the surrounding controls that reduce the impact of one mistake.

That is where credential hygiene becomes central. Training staff to avoid weak or reused passwords is useful, but it becomes much more effective when supported by tools that reduce reliance on memory and make secure credential use easier in practice. We also cover this broader preventive mindset in our guide to data breach prevention for businesses, which emphasizes the role of practical controls in reducing avoidable exposure.

The role of tooling in reducing human risk

Security awareness is only part of the picture. People are far more likely to follow secure practices when those practices fit naturally into the way they work. If the safest option is also the easiest one to use, adoption is much more consistent. If it feels slow, awkward, or hard to use, even well-intentioned employees will start looking for shortcuts.

Password management is one of the clearest examples. Organizations often tell staff to create strong, unique passwords, use 2FA, and avoid sharing. But unless employees are given a practical way to do that, the instruction remains aspirational. They fall back on memorable, easy passwords, browser storage, spreadsheets, notes apps, or messaging tools because those options feel faster in the moment.

A business password manager helps close that gap. Proton Pass for Business is designed to make secure password creation, storage, and sharing easier across teams, while also giving organizations stronger control over credential practices. These capabilities help employees create and autofill strong, unique passwords, use 2FA across accounts, and protect stored credentials with end-to-end encryption.

That does not replace security awareness training. It reinforces it by making secure behavior easier to follow. Instead of asking staff to remember dozens of complex password rules, you give them a system that supports the behavior you want. That makes good security practice easier to sustain and policy enforcement more achievable.

The same applies to incident reporting, access control, and onboarding. In these areas, tools are often necessary to give employees a clear process to follow and to give the organization consistent oversight and control. Tooling cannot replace judgement, but it can make secure actions easier, faster, and more consistent in everyday work.

A practical 6 step framework for launching or improving your security awareness program

A security awareness program works best when it is designed as an operating rhythm rather than a single campaign. The framework below can help you get started.

Step 1: Define the specific behaviors you want to change

Begin with risk. Identify the behaviors most likely to expose your organization. That may include clicking suspicious links, reusing passwords, sharing credentials informally, failing to report incidents, weak offboarding workflows, or mishandling personal data such as customer or employee information.

Step 2: Prioritize the highest-risk scenarios

Not all training topics need equal weight. Focus first on the scenarios most relevant to your organization’s threat profile and operating model.

For many businesses, that means phishing, credential handling, access control, and incident reporting. The aim at this stage is to focus staff training on the behaviors and scenarios most likely to reduce day-to-day risk.

Step 3: Segment training by role

Security awareness is much more likely to change behavior when employees can recognize their own working reality in the training. Different roles create different types of exposure, whether that means handling sensitive records, approving high-risk requests, managing privileged access, or sharing information with external contacts.

A more effective program reflects those differences instead of giving everyone the same abstract advice. The closer the training is to the decisions people actually face, the easier it becomes to apply in practice.

Step 4: Build a rhythm of reinforcement

A one-off annual training session is not enough to change behavior. Use induction, refresher training, short reminders, simulation exercises, and regular communications to keep key messages active. Reinforcement can be lightweight, but it needs to be ongoing.

Step 5: Support training with policy and tooling

Training becomes far more credible when employees can see how to apply it in practice. So, make sure policies are clear, easy to find, and written in language employees can actually use. Then support them with features that make secure behavior easier to follow in practice.

If your policy says staff must use strong, unique passwords and avoid informal sharing, give them a secure password manager that makes this easier. If your policy says suspicious emails should be reported immediately, make the reporting path obvious and low-friction.

Step 6: Review, measure, and improve

A security awareness program should evolve with your business. New tools, role changes, incidents, and types of attack all create new pressure points.

Review outcomes regularly, update training based on incidents and near misses, and adjust the program when you find recurring weak spots. The goal is not to finish the program, but to make it more effective over time.

How to measure impact

One of the easiest mistakes to make with security awareness training is to measure what is convenient instead of what is meaningful. Completion rates may tell you who watched the training or clicked through the module, but they say very little about whether the program is influencing behavior in the moments that actually carry risk.

A more useful approach is to look for changes in how people respond to real situations over time. Phishing simulation results can help you understand whether employees are becoming more cautious, more observant, and more likely to question and report suspicious messages.

Credential-related incidents can show whether risky habits such as password reuse, insecure sharing, or poor account handling are becoming less common. Policy adherence can also reveal whether employees are actually applying the expectations set by the program, rather than simply being exposed to them.

It is equally important to watch for operational signals. How quickly are suspicious emails or unusual requests being reported? Is MFA being enabled consistently where it should be? Are access rights being revoked promptly during offboarding? Are teams with greater exposure showing stronger judgement in realistic scenarios as the program develops?

These are often the indicators that show whether awareness is becoming part of how the organization works, rather than remaining confined to a training environment.

Ultimately, the real test is not whether employees completed the program. It is whether your organization sees fewer avoidable mistakes, better reporting habits, and stronger day-to-day security behavior as a result.

How to prevent and recover from ransomware attacks on small businesses

Kate Menzies — Thu, 14 May 2026 14:25:44 GMT

Many small business owners still think ransomware attacks only happen to hospitals, global brands, or public infrastructure. In reality, ransomware small business risk is one of the clearest examples of how attackers are consistently targeting organizations with valuable data, limited time, and weaker defenses.

Recent findings from Proton’s Data Breach Observatory show that SMBs are frequently the victims of breaches. They’re also disproportionately represented in the most damaging incidents, including breaches involving high-risk data and large record exposures.

Ransomware is a business continuity, credential security, and data protection problem. The UK government’s Cyber Security Breaches Survey found that 1% of UK businesses identified ransomware incidents in the previous 12 months, up from less than 0.5% in 2024. At national scale, that equates to an estimated 19,000 businesses.

Despite the rise of ransomware, phishing is still the most common type of cyberattack. Attackers most frequently get access to business networks through people, credentials, and routine workflows rather than through large-scale cyberattacks. They can essentially use a phishing attack to then launch a larger ransomware attack if they sense a greater payday.

For a small business, the damage from ransomware can cause significant disruptions to business continuity. Team members lose access to files and can’t continue their work, operations slow or stop, and customers or clients don’t get adequate services. If personal data is compromised, reporting obligations will follow. A practical ransomware strategy for SMBs has to cover both aspects of an attack: prevention and recovery.

How does ransomware work?

Ransomware is a type of malware that prevents you from accessing devices or data, usually by encrypting files, and then demands a payment in exchange for decryption. In many cases, attackers now do more than lock files. They also steal data and threaten to leak it if the ransom is not paid, which turns the incident into both an availability crisis and a potential data breach.

Victims are often instructed to communicate through anonymous email or web pages and to pay in cryptocurrency. For small businesses, that distinction is important because cryptocurrency is anonymous, decentralized, and unregulated by traditional financial institutions: it’s almost impossible to trace payments.

A ransomware event is not always limited to losing access to files. It may also mean that customer information, employee data, financial records, contracts, or login credentials have already been exfiltrated. Ransomware can lead to loss of timely access to personal data and, where backups are not appropriate or available, even permanent loss.

The attack chain is usually more ordinary than you might expect. The easy-to-miss incidents that can lead to a ransomware attack include:

Phishing links being followed.
Reused passwords being exposed in a data breach.
Remote access service left exposed.
Known vulnerabilities being left unpatched

Once an attacker gets access to a business network, they move laterally, escalate privileges, disable recovery paths where possible, and deploy encryption or extortion where it will hurt most. No single tool or solution can prevent ransomware attacks. Instead, organizations must focus on reducing the number of easy paths into their network.

Why small businesses are disproportionately targeted

Small businesses are attractive ransomware targets for a simple reason: they hold valuable data that isn’t as well-protected as it should be. Proton’s latest observatory findings show that SMBs account for 63% of breaches tracked since January 2025 and more than 352 million leaked records.

They also account for 61% of breaches involving high-risk data, with small businesses alone representing 48% of those critical incidents. Among breaches exposing more than 100,000 records, SMBs account for 60%, and small businesses represent 42%.

Small businesses aren’t careless. In fact, Proton’s SMB Cybersecurity Report 2026 proves that small businesses are trying to improve their cybersecurity. The problem is that their defenses are breaking in real-world conditions. Inconsistent enforcement, human error, shared access habits, and limited internal security capacity are what make small businesses tempting targets.

In Proton’s survey of 3,000 leaders at companies under 250 employees, 39% said incidents stemmed from human error, and 48% said they did not have a password manager in place.

Larger companies may have dedicated response teams, segmented environments, tested backup plans, and external incident support already in place. Smaller ones often have one lean IT function, outsourced support, or no dedicated security expert. When the attack hits, the business is forced to make high-stakes decisions while under operational pressure. That pressure is exactly what ransomware operators count on.

The most common entry points for ransomware in SMBs

After examining the studies carried out in the UK, we know that phishing remains the dominant cybercrime vector for businesses. But why? It’s because phishing is often the first step toward credential theft, account compromise, malware delivery, or remote access abuse.

Weak or reused credentials are another major problem. Small businesses often have shared logins, passwords reused across multiple services, or old accounts that stay active after someone changes roles or leaves. Once attackers obtain one working login, they don’t need to hack into accounts. They can simply sign in.

From there, a poorly protected admin account, an exposed cloud console, or a remote access point without two-factor authentication (2FA) can become the bridge into a broader ransomware incident. Realistically, organizations need to deploy 2FA, least privilege access, and regular permission reviews to reduce how easily stolen credentials can be reused and how far malware can spread.

Unpatched software is another recurring entry point. The NCSC notes that ransomware is increasingly deployed via exposed services such as RDP or unpatched remote access devices, and recommends patching vulnerabilities in remote access and internet-facing systems as soon as they become available. For SMBs, this is where a missed incident quietly becomes an attack surface.

How to protect against ransomware: a layered approach

There is no single control that can prevent ransomware. The most effective approach is layered and practical.

Start with identity management

The data in team members’ accounts needs thorough protection to repel ransomware attacks. Make two-factor authentication mandatory where possible across business-critical accounts, especially email, admin tools, cloud storage, finance platforms, remote access points, and any systems that store customer personal data or other sensitive personally identifiable information (PII).

Improve password hygiene

Attackers don’t always break into accounts. Often, they log in with stolen or reused credentials. Every business account must have a unique, strong password, and shared access should be replaced with managed, secure credential sharing through a business password manager rather than through spreadsheets, chats, or email.

Proton’s own SMB report highlights that even businesses with tools in place still often fall back on insecure password-sharing habits. This is exactly where a secure business password manager like Proton Pass for Business can reduce risk: it helps teams create strong and unique credentials, store them securely, and share access in a controlled, secure way.

Patch management has to be disciplined

Security updates for operating systems, apps, VPNs, remote access tools, and boundary devices should be treated as operational essentials, not optional maintenance. Install security updates as soon as possible and enable automatic updates where feasible.

Robust mail and web protection

Mail filtering, attachment controls, blocking known malicious sites, and safe browsing protections all reduce the likelihood that ransomware is delivered in the first place. Because phishing is so common, these controls are essential.

Address human error

Even when you’ve implemented security measures and a password policy, Security awareness training is still necessary. Training helps staff spot suspicious emails and social engineering attempts, but people will still make mistakes.

Stronger tools or features and access controls should assume that. The NCSC explicitly recommends awareness training, but Proton’s research also points out that training alone does not catch every slip. Good security design reduces the damage when someone does click by making one mistake less likely to become a full-scale incident, whether through 2FA, least-privilege access, stronger email protections, segmented access, or tested backups that support recovery.

Protect recovery before you need it

Backups need to be regular, isolated, and tested. The ICO recommends taking the 3-2-1 approach: three copies, on two different devices, with one stored off-site. The NCSC adds an important operational warning: ransomware may have infiltrated your environment before discovery, so backups should be scanned before restoration, and backup systems themselves should be protected.

The credential connection: why passwords still matter in ransomware defense

It is easy to think of ransomware as malware and forget that passwords play a part in a successful attack. But many ransomware incidents begin with the theft, reuse, or abuse of logins.

That might mean a staff member reusing a password from another service, a former contractor account remaining active, an admin credential being shared among several people, or an exposed remote access point being protected only by a password. Each of those shortcuts expands the attack surface.

This is one reason strong credential management belongs inside any ransomware recovery plan and prevention framework. Unique passwords per service reduce the blast radius of one stolen login. MFA makes that stolen password less useful on its own, while centralized credential storage removes the need for insecure workarounds.

Secure sharing means employees get the access they need through controlled, trackable methods rather than through informal password sharing. Regular review of who has access to what also supports least privilege, which the NCSC recommends as part of limiting lateral movement and spread.

We’ve written extensively about the ransomware threats that SMBs face. Over and over, we see the same thing: attackers are increasingly looking for the businesses that are easier to break, not just the businesses with the biggest names.

What to do if your small business gets hit

1. Contain the incident

If your business is hit, your first priority is containment. Disconnect infected devices from the network, disable compromised accounts if you can identify them, isolate remote access pathways, preserve evidence and avoid wiping systems too quickly if you may need forensic support later.

2. Report the incident

The NCSC advises UK organizations to report incidents and provides dedicated ransomware guidance for response and recovery. Proton’s guide to incident response is also a useful reference for structuring the broader decision-making process around containment, investigation, communications, and recovery.

3. Don’t pay the ransom

The NCSC and UK law enforcement do not encourage, endorse, or condone paying ransom demands. They note there is no guarantee you will regain access, your systems may still be infected, you will be funding criminal groups, and you may be more likely to be targeted again.

The ICO is similarly clear that paying a ransom does not reduce the risk to people and does not safeguard the information. Even if a decryption key is offered, there is no guarantee it will work or that stolen data will not still be leaked.

4. Start recovery

Recovery should focus on slow and secure restoration. That means rebuilding from clean backups, validating that the attack path has been closed, rotating affected credentials, re-enabling access carefully, and documenting what happened. If backups are connected to live systems or have not been tested, this is often where businesses discover a second failure after the first one. A good ransomware recovery plan really starts long before an incident even occurs.

UK reporting obligations: when the ICO may need to be involved

If a ransomware incident affects personal data, this may be a personal data breach under the UK GDPR. The ICO explains that loss of access to personal data can itself be a breach where it creates risk to individuals, and that you must notify the ICO without undue delay and, where feasible, within 72 hours if the breach is likely to result in a risk to people’s rights and freedoms. If the risk is high, affected individuals may also need to be informed without undue delay.

Some organizations still assume that if they restore systems quickly or there is no obvious public leak, reporting is unnecessary. That is not a safe assumption. The ICO’s ransomware guidance explicitly addresses breach notification scenarios and makes clear that the assessment turns on risk to individuals, not just whether stolen files have already surfaced online.

Ransomware is a SMB problem now

Small businesses are being hit by ransom attacks more and more frequently, and when they are hit, the impact can be severe because attackers exploit their weaknesses. Proton’s latest breach data makes that visible: the threat is measurable, growing, and operationally disruptive.

The good news is that the fundamentals can do much of the heavy lifting for any SMB. Measures such as using a business password manager to deploy 2FA and create unique credentials, patching, mail filtering, staff awareness, permission review, tested backups, and incident response planning may not seem flashy on their own, but together they make a meaningful difference. They reduce the chances that a single stolen password, one phishing email, or one exposed remote service escalates into a business-wide outage.

How to change email password on Gmail, Outlook, and Proton

Elena Constantinescu — Wed, 13 May 2026 17:27:44 GMT

Whether you’ve noticed suspicious activity in your email account or just want to improve your security, this guide shows you how to change your email password on some of the most popular services: Gmail, Outlook, and Proton Mail.

Your email is the master key to your online life. Anyone with access to it can reset the password on every other account tied to that address, such as your bank, social media, or shopping accounts. That’s why a leaked email password is far more dangerous than a leaked Netflix password, and why you should treat email security as the foundation everyone else sits on.

You should change your email password if:

You’ve noticed suspicious sign-in activity, especially if no one else has access to your email account.
A service you use has been involved in a data breach.
You’ve been reusing the same password on multiple websites, which can expose you to credential stuffing attacks.
You clicked a suspicious link or entered your email credentials on a website you later realized might be fake (phishing).
Your account provider warned you that your password appeared in a known leak.
You received password-reset emails or security alerts you did not request.

Changing your email password takes only a few minutes and can be done from your provider’s account settings, not from your mail app.

How to change your email password on Gmail
How to change your email password on Outlook, Hotmail, or Live
How to change your email password on Proton Mail
How to change email passwords on iPhone
How to change email passwords on Android
Tips for creating a strong email password
Best practices for email password security
What to do if you forgot your email password
Keep your email accounts safe

How to change your email password on Gmail

To change your Gmail password, update it through your Google Account:

Log in to your Google Account at myaccount.google.com.
Click Security and sign-in from the left menu.

Under How you sign in to Google, click Password.

Enter your current password to verify your identity.
Type your New password, confirm it, and click Change Password.

Google will keep you signed in on the device you’re using. To sign out everywhere else, go to Security → Your devices and remove any sessions you don’t recognize.

How to change your email password on Outlook, Hotmail, or Live

If you use a Microsoft account for Outlook, Hotmail, or Live, you can change your password through the Microsoft security portal:

Go to account.microsoft.com and Sign in.
Open the Security accordion and click Change password.

Enter your New password, then click Save.

To sign out of every other session, go to Security → Sign-in activity and click Sign out everywhere.

How to change your email password on Proton Mail

You can change your Proton Mail password directly in your account settings:

Open Proton Mail and go to Settings → All settings.
In the sidebar, click Account and password.
Click Change password.

Enter your Current password.
Enter and confirm your New password, then click Save.

Proton Mail uses end-to-end encryption, so changing your password also re-encrypts your data. Make sure you have your recovery method set up before you change it. Without one, you can lose access to old encrypted messages.

How to change email passwords on iPhone

Open Settings.
Select your account.
Go to Sign-In & Security.

Tap Change Password.

Authenticate with your current password or Face ID.
Enter the new password and confirm it.

How to change email passwords on Android

If you’re using Gmail, you can change your password in your Google Account settings. The exact steps may vary slightly depending on your device.

Open Settings.
Tap Passwords, passkeys and accounts.

Select your account.
Tap Google Account.

Go to the Security or Sign-in tab.

Under How you sign in to Google, tap Password.

Enter your new password and tap Change password.

Once you’ve updated your password, your device will usually ask you to sign in again. You may also see a message like “Account action required” if your email stops syncing. Enter your new password when prompted.

If you don’t see a prompt, remove the account and add it again:

Open Settings.
Tap Passwords, passkeys and accounts.

Select the account you want to update.
Tap Remove account.

Add the account again and sign in using your new password.

Tips for creating a strong email password

A password should be hard for a stranger or a computer to guess, but easy for you to manage.

Make it long: Aim for at least 12 characters. Longer passwords are harder to crack.

Make it unique: Don’t reuse passwords across different accounts.

Avoid personal information: Don’t use names, birthdays, or common words.

Make it random or memorable: A random password is more secure than a predictable one.

A password generator makes all of this easier to manage.

Best practices for email password security

Changing your password is a great start, but security is about more than just a secret word or phrase. You can make your inbox a much more difficult target by using tools that do the heavy lifting for you:

Use a password manager: Proton Pass can safely create, store, and autofill your passwords across your devices. It has a built-in password generator to help you create unique passwords for all your accounts.

Enable two-factor authentication (2FA): This adds a second layer of security, such as a one-time code sent to your authenticator app, so a password alone isn’t enough to access your account. Proton Pass provides 2FA for every account that supports it, along with a Pass Monitor feature that alerts you to repeated passwords and inactive 2FA.

Review active sessions regularly: Check where your account is signed in and revoke access from devices or locations you don’t recognize. All Proton Accounts come with a free account monitor to help you track active sessions.

Keep recovery options up to date: Make sure your recovery email address and phone number are current, secure, and belong only to you.

Be careful with third-party app access: Remove connected apps, browser extensions, or email clients you no longer use or don’t recognize.

Watch for phishing: Always check the sender, domain, and URL before entering your login details. Avoid signing in from links in unexpected emails. Proton Mail has built-in phishing protection that keeps you safe from known offenders.

Keep your devices updated: Install security updates for your operating system, browser, email app, and password manager.

Use account alerts: Turn on notifications for new sign-ins, password changes, recovery changes, and suspicious activity. On Proton paid plans, you can enable Proton Sentinel to prevent account takeovers.

Secure your password manager account: Use a strong master password and enable 2FA for the password manager itself. You can use Proton Authenticator to enable 2FA for your Proton Account.

What to do if you forgot your email password

If you can’t log in, look for the Forgot password link. Most websites place this link directly under the sign-in box on their login page. Clicking it will usually let you verify your identity using a backup email address or phone number.

For Proton Mail, you may also need your recovery phrase or recovery file to regain access to your encrypted messages.

Keep your email accounts safe

A weak or exposed email password can quickly turn into a much bigger security problem. If you’ve received security alerts, reused passwords across websites, or suspect your account may have been exposed in a breach, you should change the affected passwords as soon as possible.

Changing your password is one of the fastest ways to reduce the risk of someone else accessing your information. Using a password manager like Proton Pass and an end-to-end encrypted email like Proton Mail can help you keep your inbox safe.

Password security: Why breaches still happen

Ben Wolford — Tue, 12 May 2026 13:31:42 GMT

Most people use passwords every day, so it’s easy to forget that they can cause an extraordinary amount of damage if not managed properly. Most teams know they should use strong passwords, avoid reuse, enable two-factor authentication (2FA), and store credentials securely. But password-related breaches happen every day, not only in large enterprises but also in small teams managing a growing mix of SaaS tools, shared accounts, and fast-moving workflows.

The problem isn’t a lack of awareness. Many companies know about cybersecurity risks but believe they aren’t valuable targets for phishing attacks or ransomware, especially SMBs. Hence, they don’t look for solutions until it’s too late.

The gap between knowing the rules and having the right systems of password security in place to follow them is another common issue. When teams are expected to remember too much, move too quickly, and work across too many tools without secure ways to create, store, share, and review credentials, bad habits proliferate.

This is why breaches still happen. This article explains why passwords remain a common entry point for data breaches, which risks affect small teams most often, which tools and practices help reduce them, and where passkeys and biometric authentication fit into a stronger password security strategy.

Why are passwords still a leading cause of data breaches?

Compromised passwords are one of the easiest ways for attackers to gain access to accounts because they guard so many network entry points. In many modern organizations, employees log in to dozens of systems across email, storage, collaboration, finance, HR, development, and client-facing tools, all of them being a potential entry point for breaches.

Weak credentials create a wide attack surface, and the more passwords that team members have to manually manage, the more likely they are to use simple and weak passwords, reuse or store password insecurely, or fall for phishing scams.

There’s data that proves this: Proton’s 2026 SMB cybersecurity report found that nearly one in four SMBs experienced a cyberattack in the previous 12 months, despite many already investing in tools, policies, and training. In addition, Proton’s Data Breach Observatory shows that passwords are exposed in nearly half of reported data breaches, underscoring the scale of credential-related risk.

How one password becomes a broader security risk

Passwords are still an enormous vulnerability because they can be compromised in multiple ways. A password can be easily guessed using a dictionary attack if it is weak. Reused passwords can compromise multiple accounts across different services. Passwords are also easily exposed if stored in insecure locations such as spreadsheets or message threads. Once an attacker has one valid credential, they often don’t need to “hack” anything; they just log in.

With so many underlying risks, a compromised password is not only an access problem: it’s a visibility issue, a response problem, and often a governance matter. Teams need to know which systems are affected, who had access, whether 2FA was enabled, whether the credential was shared, and whether any secrets/credentials need to be rotated or reviewed.

Modern guidance reflects that reality. The 2025 NIST password guidelines explicitly note that passwords alone are not phishing-resistant, even though they are still widely used. The document also recommends stronger controls around password length, blocklists, and secure handling, rather than relying on outdated complexity composition rules alone.

So when we discuss password security, it’s not merely a hygiene issue: it’s one of the most common ways everyday work leads to a real breach.

What common risks do small teams face with passwords?

Usually, small teams experience difficulty with password security because they need to move fast with limited time, scarce IT resources, and a growing set of tools that do not naturally create secure habits.

Password reuse

One of the biggest security threats to organizations is password reuse. A team member might use the same or similar password across multiple work accounts simply because it feels memorable and manageable. But if one of those credentials is exposed in a third-party breach, attackers can try it elsewhere. It’s incredibly easy for one leaked password to turn into multiple compromised systems.

Insecure credential storage

Another common issue is insecure credential storage. Even teams that are more conscious about security can fall back on familiar habits: passwords saved in browsers, copied into notes, kept in spreadsheets, or dropped into message threads, all increasing the risk of unauthorized access.

Over time, poor credential storage leads to a loss of control and poor access management throughout an organization. When credentials are stored in scattered places, offboarding becomes inconsistent, audits get harder, and incident response slows down because nobody knows exactly where credentials live.

Lack of visibility

Without clear visibility into credential management, many teams don’t have a clear way to answer basic questions like:

Who still has access to this account?
Has this password been reused anywhere else?
Was 2FA enabled?
Has this credential appeared in a breach?
How quickly can we identify and change it if something goes wrong?

Without these answers, password security can only be reactive. Teams only discover weaknesses after a phishing incident, a suspicious login, or even a breach.

Phishing

Strong awareness helps, but phishing remains one of the most common attack vectors. Passwords can still be entered into malicious sites, especially when attackers use convincing login pages or urgency-driven tactics. This is why passwords alone are not enough. Additional security layers like 2FA, passkeys, and secure credential workflows are essential.

Gaps in password and access policies

Many small teams rely on informal practices rather than defined policies. People may know they should use strong passwords, but there are often no clear requirements for password length, reuse, rotation, or how credentials should be stored, shared, monitored, and revoked.

Without a defined password policy, credential management becomes inconsistent. Over time, this leads to gaps in security, especially as teams grow and workflows become more complex.

Poor tooling and controls

Finally, controls around credential management and security are often inconsistent or nonexistent. As a result:

2FA is enabled in some systems but missing in others.
Passwords are handled in an ad-hoc way instead of using approved business tools.
Lack of centralized monitoring for weak, reused, or compromised credentials

The result is an ineffective security approach that appears reassuring on the surface but leaves common real-world threats unaddressed. Password security follows the same pattern: awareness exists, but the approach is ineffective.

Which tools and best practices help prevent password-related breaches?

A single control is rarely effective to protect against password-related breaches. Risk is reduced by combining practical measures that prevent weak habits and make secure practices easier to adopt.

Strong, unique passwords

Weak passwords are rarely chosen because people think they are ideal. They are used because they are easy to remember and quick to type in across multiple systems.

Using long, random, and unique passwords for every account helps reduce the risk and impact of password-related breaches.

Free tools like password generators and password strength testers can help to create strong passwords and identify weak credentials. However, strength alone is not enough if passwords are reused across services.

Two-factor authentication (2FA)

2FA remains one of the most effective ways to prevent account compromise from stolen passwords, especially in phishing and credential stuffing scenarios, because it adds a second layer of protection in case a password is leaked, guessed, or reused.

The best password security programs enforce 2FA where possible, especially for email, admin accounts, finance tools, identity systems, and remote access.

Password manager

A business password manager like Proton Pass for Business addresses the core causes of password-related breaches: the need for people to create, remember, and manually type passwords across too many systems.

Instead of relying on memory, teams can generate strong, unique passwords for every account, store them in encrypted vaults, and autofill them when needed, removing much of the reason to create weak passwords or reuse credentials.

A business password manager also provides greater access control, an operational need for businesses. Teams will always need secure password sharing; the difference is whether that happens within governed, secure workflows or through chat, email, spreadsheets, and copied plain text. When access is managed through a secure system, it can be granted and revoked more reliably.

Strong and enforceable password policies

Teams need clear, documented standards that are consistently applied and enforced, including:

Minimum password length
Unique passwords for every account, with no reuse across systems
Approved storage methods
Secure sharing rules
Event-based reset policies
Clear MFA requirements

A strong password policy backed by efficient and user-friendly tools helps turn password security from a personal preference into an organizational standard everyone can adhere to with ease. With a password manager, these policies can be enforced in practice and applied consistently across teams.

Monitoring for compromised passwords

Following best credential security practices is only the starting point. Teams also need the ability to know if credentials have been exposed in a breach, or when weak and reused passwords are creating preventable risk across the organization.

Monitoring provides early visibility. Instead of reacting only after suspicious activity or account compromise happens, teams can quickly identify vulnerable credentials and rotate them before attackers have a chance to gain unauthorized access.

Access control and review

Secure access is not only about how strong credentials are. It also depends on who can access, which accounts are shared, whether access remains appropriate, and whether former employees or contractors retain credentials they no longer need.

That is why effective access control improves security in two ways: by strengthening credentials, and by establishing clear processes for how access is granted, reviewed, and revoked over time.

Ongoing security awareness and training

Employees must understand how to identify phishing attempts, why password reuse creates risk, where credentials can and cannot be stored, what tools are approved to use, and how to report suspected activity quickly.

The key is to treat training and awareness as part of normal operations, not as a checkbox exercise. Password security is stronger when secure habits are built into everyday workflows and reinforced consistently over time.

Passkeys and biometric authentication

Alternative methods such as passkeys and biometric authentication are becoming increasingly important as part of a modern authentication strategy.

Passkeys rely on device-bound authentication rather than shared secrets, addressing key weaknesses of passwords, such as phishing and reuse risks.
Biometric authentication can also improve usability, especially on devices, but is typically used locally to unlock an authentication secret or device rather than being transmitted as the primary secret itself. That makes them useful, but not a direct replacement for all password and access management needs. NIST’s guidance makes this distinction as well when discussing activation secrets and authenticators.

For most teams today, the question is not whether to use passwords, passkeys, or biometrics. In practice, a layered approach is the answer: 2FA should be used when possible, passkeys should be adopted where supported, and secure password management remains critical, as passwords are still widely used across many systems and are unlikely to disappear anytime soon.

How does effective password management improve security and compliance?

Password security is typically framed in terms of breach prevention, but that is only part of the picture. Effective password management also strengthens governance, improves audit readiness, and makes day-to-day operations more efficient by ensuring access can be reviewed, updated, and revoked as needed.

Stronger day-to-day security

Security benefits are immediate. Unique passwords limit lateral movement from reuse, encrypted vaults prevent accidental exposure, and easy, secure sharing eliminates the need to send secrets through unsafe channels. Monitoring helps identify exposed credentials early, while MFA makes it less likely that a stolen password leads to account takeover.

Better operational control

Effective credential management provides greater control across onboarding, offboarding, role changes, contractor access, and incident response. When teams know where credentials are stored, who can access them, and how to quickly rotate them, they can respond faster and more precisely when something goes wrong.

Improved support for compliance

Most frameworks and customer security reviews go beyond asking whether a company uses strong passwords. They require evidence that:

Credentials are managed securely
Access is consistently reviewed
Sharing is secure and controlled
Access can be revoked
Risky behaviors can be addressed

A business password manager helps establish the repeatable controls that auditors and customers require, strengthening organizational compliance.

How does Proton Pass for Business help reduce password-related breach risk?

Password-related breaches usually happen when teams need to manage too many credentials without a secure, centralized system. This leads to the same familiar issues: password reuse, insecure storage, informal sharing, limited traceability, and inconsistent access control.

Proton Pass for Business reduces this risk by giving teams a secure way to create, store, and manage credentials. Instead of relying on browsers, spreadsheets, notes, or chat threads, teams can generate strong, unique passwords, store them in encrypted vaults, and share access using secure and controllable workflows.

Stronger passwords, used consistently

One of the most immediate benefits is reducing password reuse. When unique credentials are easy to generate and retrieve, teams are much less likely to fall back on repeated or slightly modified passwords across accounts.

Better visibility and control over access

Proton Pass for Business centralizes credentials in a managed environment, making access easier to review and control. Teams gain visibility into who has access, which credentials are shared, and what needs to be updated or revoked after a role change or suspected compromise.

Safer sharing for collaborative teams

Small teams often need to hand over access quickly, especially across operations, vendors, and shared tools. However, when this sharing occurs through insecure channels, risk arises. With secure and controlled sharing workflows, businesses can reduce that exposure while making access changes easier to manage and control.

Stronger support for policy enforcement

A password policy is much easier to implement when tools enforce the behavior they require. Proton Pass for Business helps teams put rules around password strength, sharing, 2FA adoption, and credential review into practice, rather than relying on memory or informal habits.

This is one of the benefits of a business password manager. It can’t eliminate all authentication risks, but it directly addresses many of the causes that lead to password-related breaches.

Phishing awareness training: How to prepare your team to recognize attacks

Ben Wolford — Tue, 12 May 2026 13:26:20 GMT

Phishing remains one of the most common ways for attackers to gain access to business networks. It mimics legitimate day-to-day business communications, so it’s an ideal technique for collecting valuable business information unnoticed. In the UK government’s Cyber Security Breaches Survey 2025 report, phishing was the most common type of breach or attack reported by businesses that identified incidents, affecting 85% of them and the equivalent of 37% of all businesses overall.

Awareness training must be a business mandate, not just a compliance task. One successful phishing attempt can expose credentials, grant access to internal systems, and create problems that spread well beyond a single employee inbox.

The issue is that many organizations still rely on one-off awareness efforts, even though phishing changes constantly. A more effective program can give employees repeated practice, clearer reporting habits, and supporting controls that reduce the impact of mistakes.

What phishing looks like in a business context

Business phishing has evolved beyond obviously fake emails full of spelling mistakes. In practice, employees are far more likely to encounter realistic-looking attempts such as:

Account-verification prompts
Shared document notifications
Sign-in pages for common business platforms
Invoice approvals
HR updates
Messages from trusted suppliers or internal executives.

If a team member responds, attackers can then use information they’ve collected about employees or companies to make messages more persuasive and realistic, especially in more targeted campaigns.

Spear phishing, executive impersonation, and credential harvesting

Phishing awareness training needs to prepare teams for several patterns at once. Spear phishing is one of the most common variations of phishing. Instead of sending a generic message to thousands of recipients, the attacker tailors the email to a specific role, project, colleague, or supplier relationship.

The message feels plausible because it is built around something the employee would realistically expect to see. This kind of targeting is often made more convincing by information gathered from company websites, public profiles, or other online sources.

Another variation of phishing is executive impersonation, sometimes referred to as CEO fraud. Here, the attacker mimics a senior leader or important stakeholder to create urgency around a payment, a file, or a credential request, pressuring staff into transferring money or information unless normal verification processes are followed.

A third pattern is credential harvesting. In these attacks, the employee is pushed towards a fake login page designed to capture usernames, passwords, and sometimes even one-time password (OTP) codes.

Phishing training has to reflect real business workflows rather than giving generic advice. Many phishing pages are built to resemble tools employees already use every day.

Why routine business messages are so effective

Phishing remains effective in organizations because it often blends into everyday operations. A fake login prompt only needs to feel familiar long enough for someone to act on autopilot. The same is true of supplier messages, shared-document notifications, or urgent internal requests.

That is why training should not focus only on suspicious wording or poor grammar. Employees also need to understand how attackers exploit normal ways of working. Think about how your organization operates and how you can help staff recognize requests that fall outside normal processes, especially when money, credentials, or sensitive information are involved.

Recent breach examples

Recent breach reporting reinforces the point that phishing inside businesses now goes far beyond simple inbox scams.

According to Proton’s Data Breach Observatory, greeting card company Hallmark Cards was targeted by the criminal extortion hacker group known as ShinyHunters. The group obtained records belonging to Hallmark Cards from Salesforce and gave the business an extortion deadline to meet. Ultimately, the group leaked 2.8 million unique records.

ShinyHunters is prolific, targeting many high-profile businesses in recent months. In January 2026, apparel brand Canada Goose was linked to a breach of around 600,000 customer records. The data originated from a third party breach that occurred in August 2025.

These examples are useful because they show what phishing looks like in business settings now: not just inbox deception, but attacks aimed at contractors, identity systems, internal access, and the trust relationships organizations rely on every day.

Why awareness alone is not enough

Phishing awareness is important, but it isn’t enough on its own. Employees don’t make mistakes just because they lack information. They also make them because they’re busy, distracted, under pressure, or moving quickly through workflows where a phishing message can easily pass as legitimate at first glance.

That is why training shouldn’t be built around the idea that every employee can spot every phishing attempt. Organizations can’t rely on user detection alone. Some attacks will still get through, which means technical controls, clear processes, and user education need to work together.

A stronger phishing awareness training program is built around that reality. It helps employees recognize common warning signs, pause when something feels off, report quickly, and work within systems that make one mistake easier to contain. It also connects naturally to incident readiness.

If someone clicks a malicious link or shares credentials, the organization needs a fast and clear response path. Training becomes much more effective when employees know what happens after a report is made and what role they play. Proton’s guide to incident response can help your organization put a plan together.

What does an effective phishing awareness training program look like?

An effective phishing awareness training program is not built around a single annual session and a few outdated examples. It is ongoing, practical, and designed around the way people actually work. This means regular reinforcement, realistic scenarios, and feedback that helps employees build better judgement over time.

In practice, phishing awareness should appear at more than one moment. It should be part of onboarding, refresher training, short scenario-based reminders, and incident reviews, not something employees see once and forget. It also needs to reflect real exposure.

Someone dealing with invoices, executive support, supplier communication, privileged access, or sensitive records is likely to face different kinds of phishing pressure from someone in a lower-risk workflow. The NCSC’s phishing guidance reflects that reality by noting that staff with access to sensitive information, financial assets, or IT systems may be targeted more heavily.

Practice also needs to be used well. Simulated phishing can be useful, but not when it turns into a blame exercise. Poorly handled simulations can damage trust and discourage people from reporting mistakes if they feel they are being caught out rather than supported.

A stronger program uses simulations carefully, gives immediate feedback, and increases difficulty gradually. It is not trying to prove that employees are easy to fool. It is helping them build pattern recognition, reporting habits, and more confidence in real situations.

The five phishing red flags employees still miss

Many employees know the classic warning signs, but they still miss the subtler cues that occur in real business attacks. Phishing awareness training is much more useful when it teaches people how to recognize the patterns that fit their day-to-day work.

1. A message that matches the workflow, but changes the channel or urgency

The most effective phishing emails don’t look random at all. They resemble invoice requests, shared documents, payroll updates, or sign-in notifications that employees expect to receive.

What changes is the urgency, secrecy, or process. An attacker wants the target to skip normal checks. NCSC guidance specifically warns that attackers exploit business processes and requests, including requests for information or unauthorized payments.

2. A believable sender name hiding a bad domain or spoofed source

Employees often focus on the display name and not the full address, reply path, or domain. That is one reason anti-spoofing controls matter, but training still needs to teach people to slow down when a familiar brand or colleague appears slightly “off”.

The NCSC advises organizations to make email spoofing harder through controls such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM). Together, these email authentication checks help receiving systems verify whether a message really comes from the domain it claims to come from.

3. A login page that looks normal enough

Credential harvesting pages don’t need to look perfect. They only need to feel familiar long enough for an employee to enter a username and password. In practice, the biggest clue may be context rather than design: why is this login request appearing now, and why through this route?

4. A request that asks for speed over verification

Executive impersonation, invoice fraud, and supplier scams often lean on urgency. The message is crafted to make verification feel inconvenient or disloyal. Strong phishing training should teach that unexpected urgency is not just suspicious language; it is a signal to switch from email response mode into verification mode.

5. A situation where reporting feels embarrassing

One of the most overlooked warning signs is internal rather than technical: an employee notices something odd, but hesitates to report it because they’re unsure, too busy, or worried about looking careless.

The NCSC warns against reprimanding users who struggle to recognize phishing because fear of reprisals suppresses reporting. Healthy programs therefore teach employees that raising a concern early is useful even if the message turns out to be harmless.

What happens when training fails

When phishing training fails, the damage is often measured in credentials before it is measured anywhere else. A user enters a password into a fake portal, approves an unexpected prompt, or shares login details through a convincing internal-looking request. From that point on, the problem is no longer only about one inbox decision. It becomes an access-control problem.

This is where the connection between phishing and password hygiene becomes so critical. If the same password is reused across multiple services, one compromised credential can become a route into email, SaaS tools, cloud platforms, or admin systems. If shared logins are still being handled through informal or uncontrolled methods, accountability drops even further.

Proton’s Data Breach Observatory Report notes that names and emails appear in 9 out of 10 breaches, that 72% of breaches contain contact data, and that 49% include passwords. That means attackers often have exactly the raw material they need to make phishing more convincing and to exploit password reuse when they succeed.

Recent breach examples make the same point from another angle. In Proton’s breach reporting, phishing-related incidents in 2026 did not stop at a clicked link; they became network access, internal exposure, and broader business incidents. That is why phishing attack prevention can’t consist of employee recognition alone. It also has to reduce how far stolen credentials can travel once one account is compromised.

Unique passwords for every service are one of the simplest and highest-value controls here. They do not stop a phishing attempt from happening, but they do help contain the fallout. If one password is stolen, it should not unlock five other systems.

A secure business password manager supports a security culture strategy. Proton Pass for Business is designed to help teams generate and store strong, unique passwords for each service, reducing the chance that one successful phishing event cascades across the organization.

A practical model for phishing training for employees

The best place to start is not with generic training materials, but with the way your organization actually works.

Focus first on the phishing scenarios employees are most likely to face: sign-in prompts, supplier impersonation, payment approvals, shared-document notifications, executive requests, or identity-provider attacks. Training becomes much more useful when people can recognize their own working reality in it.

Reporting also needs to be simple and safe. The NCSC’s phishing guidance makes clear that organizations should help users identify and report suspected phishing messages, while the Reporting Fraud Website provides the UK’s official reporting route for phishing and cyber crime. Employees should know where to report internally, what to include, and what to do immediately if they clicked a link, entered credentials, or approved access.

Training should be backed by controls that reduce the cost of mistakes. That includes email filtering, anti-spoofing protections, secure sign-in flows, 2FA, and stronger password hygiene. Proton’s business guidance on phishing attack prevention also points to the value of clear reporting channels, repeated practice, and monitoring for exposed credentials.

Finally, measure more than clicks. Simulation click rates can be useful, but reporting rates, time to report, repeated failure patterns, and credential-related incidents often give a clearer picture of whether resilience is improving. The NCSC also recommends thinking carefully about phishing metrics so organizations do not end up discouraging safe reporting.

Perfect detection isn’t possible, but a stronger response is

Phishing awareness training is most effective when it moves beyond the idea that employees should be able to spot every attack perfectly. A more realistic goal is to build a team that can recognize familiar warning signs, report concerns quickly, and respond in ways that stop one mistake from escalating into a wider incident.

That takes more than information. It takes repeated practice, examples that reflect real roles and workflows, and clear processes employees can rely on when something feels wrong. It also takes controls that reduce the impact of credential theft when a phishing attempt succeeds. For that reason, phishing training for employees works best as part of a broader security culture, not as a standalone awareness exercise.

Organizations that reduce phishing risk well tend to combine the same elements: practical training, clear reporting habits, stronger incident readiness, and tighter credential hygiene. Proton’s resources on phishing attacks, and incident response all reinforce the same principle: awareness is far more effective when it is backed by systems that make a compromise easier to contain.

Proton’s password manager passes audit by top security firm

Son Nguyen Kim — Tue, 12 May 2026 12:13:30 GMT

Security without scrutiny is just a claim. It’s why we built all our apps to be open source, and publish independent audit results for everyone to verify.

This year, Recurity Labs, an ISO 27001-certified IT security consultancy, tested everything a Proton Pass user interacts with: the Proton Pass browser extensions, mobile and desktop applications, and Command Line Interface(CLI).

The security firm, with no financial ties to Proton, has nearly two decades of trusted experience in helping organizations secure complex systems and audited Proton’s password manager between January and April 2026.

Recruity Labs found Proton Pass’s overall security posture to be “well above par”.

Proton Pass is built on a solid security foundation

The audit confirmed Proton Pass security is exceptionally robust:

No remote exploits found: Users cannot be hacked simply by visiting a malicious website or clicking a link.
No encryption bypasses identified: Attackers can’t use shortcuts, backdoors, or weak keys to bypass the encryption layer.

Security audits are primarily an opportunity to test and improve our implementations. We’re grateful to the auditors at Recruity for helping us identify several areas for improvement beyond the core security requirements.

The report noted several observations — recommendations focused on strengthening practices like how secrets are managed in computer memory while the app is running.

Proton took these findings seriously and chose to implement fixes even for areas that fell outside our immediate threat model. During the retest, the desktop memory-handling issues were all resolved, demonstrating our commitment to acting on expert feedback and continuously improving our security posture.”

You can read the Recruity’s audit of Proton Pass for yourself. You can also find the audit reports for all Proton services.

Transparency as a security feature

Proton was founded by CERN scientists who believe in peer review and verification. By keeping our code open and publishing independent audit results, we allow anyone to test our claims.

This rigorous public scrutiny helps us find and fix vulnerabilities faster, proving that transparency is the strongest foundation for privacy.

If you’re a security researcher, we invite you to check Proton’s code through our public Bug Bounty Program. If you have questions or comments about Proton Pass, its security audit, or our approach to open source, share them with us.

You can also join the conversation on X and Reddit

Anonymization explained: If your data is anonymous, why can advertisers still target you?

Elena Constantinescu — Fri, 08 May 2026 15:52:09 GMT

When companies say that your personal data is anonymized, it sounds like your online identity is scrubbed away for good. Your information becomes noise in a dataset, so you can let your guard down. Well, not quite.

Anonymized data is data with the most obvious personal identifiers removed, like name or home address. But in a world full of interconnected databases, it only takes a handful of seemingly unrelated details to track down someone.

Research has shown that only 15 data points are needed to identify 99.98% of people in a dataset of millions. And with AI connecting the dots across your online activity, the gap between “anonymous” and “identified” is shrinking.

Let’s take a look at what data anonymization actually means and what you can do to better protect your privacy.

What is data anonymization?
Anonymization vs pseudonymization
Common data anonymization techniques
How companies use anonymized data
Data reidentification, or why anonymized data isn’t truly anonymous
AI is making deanonymization faster and cheaper
Protect your privacy by minimizing and encrypting data
Anonymization is not a privacy guarantee

What is data anonymization?

Data anonymization is the irreversible process of removing anything personally identifiable from data points, such as your name, email address, contact number, or birthday. The goal is to sever the link between a record and a person as much as possible.

However, after anonymization, data still includes indirect clues, such as your general location, browsing habits, and age range. Individually, these details are pretty harmless, but when taken altogether, they form a pattern that points to you.

Some types of data, such as biometric, are especially difficult (or even impossible) to truly anonymize. You can create a safe username but not change a person’s face, fingerprint, or iris pattern.

When data is truly anonymized, it is no longer considered personal under privacy laws such as the GDPR. That means companies may use it without the consent and protection requirements that apply to personal data.

But GDPR’s Recital 26 sets a high bar: data must no longer identify a person, even when considering other information and methods that could reasonably be used to reidentify them. So, removing names or email addresses is not enough if the remaining data still points back to someone.

Anonymization vs pseudonymization

While anonymization permanently removes identifiable information to ensure it cannot be traced back to an individual, pseudonymization replaces that data with a label, token, or code. The original identity is stored separately in a secure key or lookup table, but with the right access, that label can be linked back to a real person.

An example of pseudonymization is medical research, where patient names are replaced with codes. Researchers can still track the data, but only authorized personnel with the key can reconnect it to the individual.

This difference is simple but important. Pseudonymization is considered personal data under regulations like the GDPR because it can still be linked back to someone. Anonymized data, by contrast, falls outside those obligations only when reidentification is no longer reasonably possible.

Common data anonymization techniques

Companies use different anonymization methods depending on how they plan to use the data. Here are some common ones:

Data masking replaces information with fake data, such as swapping a phone number for a fictional one.

Generalization makes data less specific, like using age ranges rather than an exact age.

Data swapping shuffles information across records so they no longer match the original person.

Data perturbation obscures individual details while preserving data trends, such as changing data by rounding numbers.

Synthetic data relies on artificial data that imitates the patterns of the original dataset without directly using real records.

These techniques can reduce privacy risks, but their effectiveness depends entirely on how well they’re applied. Even then, they may not remove every clue that could identify someone.

How companies use anonymized data

Anonymized data is valuable because companies can legally use it however they want, without your consent. Common uses include:

Analytics and development: Companies study user behavior to improve products, measure trends, and guide business decisions.

Advertising: Browsing and purchase patterns can be used to build audience segments for targeted ads, even without your name attached.

Data brokers: Some data is aggregated, packaged, and resold by data brokers. These companies combine information from apps, websites, public records, credit data, and more to build detailed profiles that are sold to whoever wants them, with little legal oversight.

Training AI models: Large datasets are often used to train AI systems, including data drawn from user activity, purchased datasets, and public or scraped sources.

Medical research: In some countries, anonymized medical data can be sold to pharmaceutical companies or shared with researchers.

Anonymized data can be used for good, such as improving services or supporting research. The problem is that it creates a strong commercial incentive for data brokers and advertisers to collect, combine, share, repackage, and sell information about people, often in ways they do not fully understand or meaningfully consent to. For people who later decide they want out, removing their data is not simple.

California’s privacy regulator created the DROP system because deleting data from hundreds of data brokers has historically been difficult for individuals to manage. This is much more difficult with AI training data, because once data has influenced a trained model, removing it may require machine unlearning techniques that AI companies do not have an appetite for.

Data reidentification, or why anonymized data isn’t truly anonymous

If someone tells you that they’re looking for a man in his 30s who drives a white car and lives in your neighborhood, you might already have a good idea of who they mean. None of those details can separately identify the person, but together, they help narrow the possibilities by excluding everyone else. Anonymized data works the same way: Even if names and contact details are removed, the remaining information can still become revealing when enough details are combined.

When these patterns are cross-referenced with other sources, such as social media or public records, it becomes possible to connect supposedly anonymous data to a person. This is known as reidentification, and it’s often easier than you expect.

Researcher Latanya Sweeney purchased a hospital dataset for $50 that contained indirect identifiers, such as demographics, diagnoses, and billing details. Revealing details such as names were not included. By cross-referencing this data with local news stories on hospitalizations, she was able to match 43% of patients to their records, including the full medical history of a patient involved in a reported motorcycle crash.

AI is making deanonymization faster and cheaper

If the only protection against reidentification from anonymous data is time, patience, and manual cross-referencing, that incidental protection is eroding with AI.

Research shows that large language models (LLMs) can analyze someone’s posts across platforms, cross-reference public information, and identify anonymous users with incredible precision. In one study on at-scale deanonymization, LLM-based methods identified up to 68% of people, and when they made a match, they were correct 90% of the time.

Sweeney had to pay only $50 for a dataset of hundreds of thousands of records. Today, LLMs can deanonymize profiles for $1-4 each and do the work automatically. They also don’t need clean, structured datasets and can spot patterns in ordinary posts and comments.

As one of the researchers puts it:

“Ask yourself: Could a team of smart investigators figure out who you are from your posts? If yes, LLM agents can likely do the same, and the cost of doing so is only going down.”

Protect your privacy by minimizing and encrypting data

Anonymizing data is not enough, as reidentification can happen when dots are connected. The best way to protect yourself is to minimize your digital footprint, making yourself harder to reidentify.

You don’t have to go off the grid, but you should be more deliberate about what and how you share. Here are some practical tips:

Compartmentalize your identity to protect against cross-referencing

When you use the same email and username on all platforms, your details are easy to put together. It’s simple to generate different usernames for different accounts, but using unique email addresses for everything can be a nightmare unless you use email aliases.

Aliases create separate addresses that forward messages to your main inbox without exposing your real email address and identity. If you use a unique email alias for every service, you can see where a leak or sale came from.

For example, if you create one alias only for Company A and later receive emails to that alias from Company B, you know Company A either shared, sold, leaked, or lost control of your address. You can then disable that alias without affecting your main inbox or your other aliases.

Be inconsistent to protect against identifiable patterns

The more consistent your details are across platforms, the easier it is to build a unique profile around you. Where possible, avoid giving more information than necessary.

For instance, use a general location instead of your exact city, round your age, and skip optional fields. Also, consider making small variations in your writing style, such as repeated phrases, punctuation, or common typos, to limit automated identification.

Limit your digital footprint to protect against AI analysis

LLMs can identify people by finding patterns in posts and writing. The less public content tied to your identity, the less material there is to work with. Consider how much personal detail you reveal when posting — not just facts, but habits, opinions, and recurring topics that make you stand out. Be sure to opt out of AI training on as many platforms as possible.

Use end-to-end encrypted services to protect against data collection

Encryption doesn’t just protect data from hackers but limits what can be read in the first place. An email provider that can’t read your messages can’t scan them for advertising, use them for AI training, or share insights with brokers.

Use end-to-end encrypted email for private communications, secure cloud storage to safely store and share files, and a no-logs VPN to encrypt your browsing activity — all of which reduce the amount of data you expose unwillingly.

Opt out of data collection to protect against brokers

It is possible to remove personal information from the internet, even from data brokers, but it takes persistence. It won’t stop future data collection, but it can give you a fresh start. Going forward, minimizing your digital footprint and encrypting your data where possible will help limit what gets collected.

Anonymization is not a privacy guarantee

The main takeaway is that “anonymized” does not always mean safe, permanent, or impossible to trace. The less personal information you share, the less consistent you are across platforms, and the more control you keep over your accounts and aliases, the fewer signals there are to link back to you.

Your data may be anonymized on paper, but your strongest protection starts before that point: with what and where you choose to share, and how easily it can be connected to the rest of your digital life. That also means being intentional about the services you use every day, and the companies that own them.

Proton apps are open source, ad-free, and designed to avoid tracking and AI training on any of your data. With end-to-end encryption, zero-access encryption, and a business model exclusively funded by our community of paying subscribers, we do not need to exploit your data, we cannot read most of it — and we don’t want to.

Microsoft Edge keeps all saved passwords unencrypted

Elena Constantinescu — Wed, 06 May 2026 11:30:58 GMT

If you save passwords in Microsoft Edge, there’s a security risk you should know about. According to a new disclosure, whenever you open Edge, the browser immediately loads all saved passwords into memory in readable form — not just the password for the website you’re logging into. That means credentials for every account saved in Edge could be exposed if malware, a compromised admin account, or another attacker gains access to your device or user session.

The finding was disclosed by security researcher Tom Jøran Sønstebyseter Rønning, who says Microsoft’s response was that the behavior is “by design.”

Microsoft’s own documentation says Edge encrypts saved passwords on disk using AES (Advanced Encryption Standard) and acknowledges that passwords can be exposed if the user session or device is compromised. The new disclosure does not dispute that but raises a different concern: Edge loads all saved passwords into readable memory as soon as the browser launches, making memory scraping far more valuable if an attacker gains sufficient access.

This comes a year after Microsoft narrowed password management around Edge by phasing out password storage and autofill in Microsoft Authenticator, pushing users who wanted to keep using Microsoft’s password features toward its own browser.

How Microsoft Edge handles saved passwords

Passwords are supposed to be protected by encryption when stored: Encryption turns a readable password (plaintext) into unreadable data (ciphertext). To use that password for autofill, a browser eventually has to decrypt it back into readable form. The important question is: How much password data becomes readable at once?

Security researcher Tom Jøran Sønstebyseter Rønning says Microsoft Edge loads all saved passwords into the browser’s memory in plaintext as soon as it launches, instead of only decrypting a specific password when it’s needed. This includes all passwords saved in the Edge password manager, even those for websites you don’t visit or autofill during the current browsing session.

Source: @L1v1ng0ffTh3L4N on X

That makes Edge’s re-authentication prompt feel misleading: The interface asks you to prove your identity before revealing a password, although the browser process already has every saved password available in readable form.

The researcher tested this behavior across multiple Chromium-based browsers, including Google Chrome, Brave, Vivaldi, Opera, and Microsoft Edge. Only Edge exhibited this behavior.

It’s enough to just leave Microsoft Edge open

Security researcher Rob VandenBrink, writing for SANS Internet Storm Center, reproduced the issue by leaving Microsoft Edge open and analyzing a memory dump of the running browser session. He demonstrated how a logged-in Windows user can dump their stored Edge credentials without additional rights, which also means malware running as that user could potentially access those credentials too.

Source: Rob VandenBrink on SANS Internet Storm Center

One compromised session can expose all your passwords

If an attacker gains sufficient access to the device or user session, they may be able to inspect the browser’s memory. If only one password is decrypted when needed, the attacker has a smaller window and less data to capture. But if every saved password is already sitting in memory unprotected by encryption, memory scraping becomes far more valuable.

The risk is especially serious in shared environments, such as terminal servers, remote desktops, virtual desktop infrastructure, or systems where multiple users are logged in at the same time. A compromised admin account could extract saved credentials from other logged-in users, including disconnected sessions where Edge was still running.

What to do if you saved passwords in Microsoft Edge

This doesn’t mean every Microsoft Edge user has been hacked, but individuals and organizations should reconsider whether Edge is the right place to store credentials. Here’s what you can do to stay safe:

Stop saving new passwords in Microsoft’s browser and turn off the Edge password manager.
Move your saved credentials to a secure password manager. You can easily import Edge passwords into Proton Pass.
Delete passwords saved in Edge after migration.
Change high-risk passwords and make them unique, starting with email, financial accounts, admin tools, password reset inboxes, and work accounts. Our password manager has an integrated tool for this purpose, but you can also use our password generator.
Enable two-factor authentication (2FA) or passkeys where possible, which helps to reduce the damage if a password is exposed. Proton Pass supports passkeys and 2FA for all your saved accounts. You can also use our authenticator app to securely manage access to your Proton Account.
For IT teams: Review Edge password policies and disable browser password storage to reduce organizational risk. A centrally controlled business password manager is superior to employees storing passwords on individual browsers.

Your passwords deserve better than Microsoft Edge

The Microsoft Edge disclosure is a reminder that your most sensitive credentials shouldn’t be stored in a password manager owned by a company that treats this kind of exposure as expected behavior, even though it raises obvious security concerns for individuals and organizations.

With Proton Pass, your passwords, aliases, passkeys, and 2FA codes are protected by end-to-end encryption, and you stay in control of where and how you use them.

Create a free Proton Pass account

How to clear your cache on iPhone and free up storage space

Elena Constantinescu — Tue, 05 May 2026 17:16:12 GMT

If your iPhone feels sluggish or you’re dismissing “Storage Almost Full” warnings despite deleting apps, your cache might be part of the problem. Browsers and apps save temporary data to help things load faster, but over time, it accumulates and works against you, causing issues like iPhone slowdowns and app crashes.

iOS doesn’t make it obvious, but we’ll show you where to look and how to clear cache for the biggest offenders, such as your browser and apps like Instagram, TikTok, and YouTube.

Safari cache
Chrome cache
App cache
System cache
Get more space
Frequently asked questions

How to clear Safari cache on iPhone

Go to Settings → Apps.
Find and tap on Safari.
Tap Clear History and Website Data.
Choose All History for a full clear.
Tap Clear History to confirm.

This will clear your browsing history, cookies, and cached files. Your saved passwords and bookmarks will remain. Note that you will be signed out of websites.

How to clear Chrome cache on iPhone

Open the Chrome app.
Tap the three-dot menu ⋮ in the bottom right corner.
Tap Delete browsing data.

Set the Time range to All Time for a full clear.
Select Browsing data and then Cached images and files. You can also include Cookies, site data to clear more data.
Tap Delete data.

Clearing cookies will sign you out of websites.

If you’re using a different browser, like Firefox or Brave, look for options labeled “Privacy,” “Data,” or “Clear Browsing Data” in the app’s settings.

How to clear app cache on iPhone

Apps also store their own cached data on your iPhone. Unlike Safari, there’s no single place in iOS to clear app cache. Some apps let you do it from within their settings, while others require you to delete and reinstall entirely.

How to clear WhatsApp cache on iPhone

WhatsApp doesn’t have a single button to clear all cache, so you have to free up space from each chat separately:

Open WhatsApp.
Go to Settings → Storage and Data.
Tap on Manage storage.
Select a chat to view cached files and delete them.

How to clear TikTok cache on iPhone

Open TikTok.
Go to your profile and tap on the three-line menu icon on the top right.
Tap on Settings and privacy, and select Free up space.
Tap Clear on the cache row.

How to clear Instagram cache on iPhone

Some apps like Instagram don’t have a cache option, but there are alternative solutions:

Open the Settings app.
Go to General → iPhone storage.
Find and tap on Instagram. You can choose from
- Offload App: This removes the app while keeping local data, such as settings and documents.
- Delete App: This removes the app and its local data.

If you’ve deleted the app, you can reinstall Instagram from the App Store and log back in. After offloading, look for the faded Instagram icon on your homescreen and tap on it to reinstall app data.

Offload or delete app to clear cache

For apps without a built-in cache option, you have two choices:

Offload app: Removes the app while keeping local data, such as settings and documents. When you reinstall the app, local data is restored. This doesn’t free up much space but is less disruptive.
Delete app: Removes the app and its local data, so you can use a fresh installation. Your account isn’t affected, and you’ll just need to log back in after reinstalling the app.

How to clear system cache on iPhone

System cache, also known as system data on iPhone, includes caches, logs, and temporary files that your iPhone stores to run smoothly. Unlike browser or app cache, there is no direct way to clear it from within iOS.

A restart does help with clearing temporary memory, though, which can fix minor glitches and reclaim a tiny amount of storage. Here’s how to restart your iPhone:

Press and hold the side button (the power button) and either volume button simultaneously until the power off slider appears.
Drag the slider to turn off your iPhone.
Wait for about 30 seconds.
Press and hold the side button until the Apple logo appears.

If system data is eating up a large chunk of storage, you’ll need to clear your browser cache and app cache. An alternative method is to clear system data by setting your iPhone’s date to the future, though this isn’t an official fix.

Get more space on iPhone with secure cloud storage

Cache builds over time, but so do photos and videos. When media files start accumulating, your iPhone storage fills up quickly. Clearing cache helps free up some space, but it eventually rebuilds. And deleting personal memories just to keep your phone functional shouldn’t be an option.

Backing up your photos to secure cloud storage means you don’t have to make that trade-off. Proton Drive offers a privacy-first approach to storing photos, videos, documents, and other files so you don’t have to worry about running out of space on your iPhone. We’ve made it easy and safe with automatic backups of photos and videos, and file sharing outside of Apple’s ecosystem.

Proton Drive’s end-to-end encryption keeps your files truly private and accessible only to those you choose. With apps for iPhone, iPad, and Mac, your files are always within reach — even if your phone is lost or stolen.

Frequently asked questions about iPhone cache

What is the difference between cache and cookies?

Cache saves pieces of content from websites and apps, so that they load faster when you return. Cookies are browser-specific and store details like your login status and site preferences.

When you clear cache, it means your browser or app has to redownload content to your device, and you might even notice it taking longer to load. Clearing cookies removes your website preferences and signs you out across the web. Most browsers let you clear one without the other.

What is cache on iPhone?

Cache is like a cheat sheet your iPhone keeps for itself. When you visit a website or use an app, bits of content and data get saved locally so that your phone can skip a full download next time. It helps things load and open faster, so you’re not stuck on a loading screen for too long.

The problem is that this cheat sheet grows endlessly. Every site and app adds to it, and iOS does not automatically purge it. This is where the cache becomes an unwieldy storage hog that limits your iPhone’s performance and functionality.

When should you clear cache on iPhone?

You should not clear iPhone cache regularly, but only when storage is getting full or as a troubleshooting step when apps don’t function properly. Doing it too often can make your iPhone load things slowly, as it has to re-download content it would normally pull from storage.

Will clearing cache delete passwords?

No. Your saved passwords live in iCloud Keychain or your password manager; clearing cache will not touch them. However, clearing cookies will sign you out of websites, so make sure your logins are saved to your password manager before you clear them.

How do you clear cookies on iPhone?

You can follow the steps above to clear cache on iPhone, which also includes cookies. To delete cookies without clearing history, go to Settings → Safari → Advanced → Website Data, then tap Remove All Website Data, or swipe left on individual sites to delete specific cookies.

Do iPhone app cleaners work?

iPhone app cleaners can help with some things, like finding duplicate photos, but they can’t actually clear cache from other apps. Apple doesn’t let apps access each other’s data, so a cleaner app has no way to reach the cached files in other apps. If an app claims it can clear your cache for you, take that with a grain of salt.