This iPhone Hack Can Expose Your Company’s Data From One Website Visit

Image credit: Lance Whitney/ZDNET

A new iPhone hack just got a lot of companies on edge, and it’s not some complicated thing. You don’t need to download anything. You don’t even need to tap anything. Just visiting the wrong website can be enough.

Security teams at companies like Google Threat Analysis Group and Kaspersky reported this kind of attack uses a hidden web page that breaks out of Safari, the iPhone browser. Once that happens, the attacker can get into parts of the phone that are supposed to be locked down.

What can they actually see? Reports say it can include saved passwords, email data, and access tokens. Those tokens matter because they can let someone get into work tools like Slack, Microsoft Outlook, and internal dashboards without needing a login again. So even if your password is strong, it might not matter.

Security firms tracking this said employees at tech and SaaS companies were targeted through fake business sites and ads. In some cases, workers thought they were opening normal links related to their job. Behind the scenes, the page was running code that quietly took data from the phone.

Teams at companies using Okta and similar login systems reported reviewing sessions after seeing unusual access patterns tied back to mobile devices. That’s how some of these attacks were first spotted. Not because someone noticed something wrong on their phone, but because company systems saw strange behavior.

What makes this worse is there’s usually no sign. The phone doesn’t crash: No pop-up, and no warning. The person just keeps using their phone like normal while access is already taken.

Because of this, companies are reacting fast. Tech firms are locking down what employees can do from personal iPhones. Some are cutting off access to internal tools unless the device is fully managed. Others are forcing re-authentication more often so stolen session access doesn’t last long.

Finance companies are taking it even more seriously. Banks and fintech firms reported reviewing mobile access to customer data and internal systems. Some are limiting what can be opened on a phone at all. The goal is simple. If a phone gets hit, the damage stays small.

Insurance companies are stepping in earlier, not after things go wrong. Reports show more businesses are buying cyber insurance that specifically includes mobile attacks like this. But insurers aren’t just selling policies. They’re checking how companies handle mobile security before they even offer coverage.

That means companies are being pushed to fix weak spots upfront. Things like stronger login checks, limiting mobile access, and monitoring unusual activity are now being required in many cases.

Industry reports say claims tied to phone-based breaches have been rising, and that’s forcing companies to take this seriously sooner. Instead of waiting for a hack, they’re going through security reviews as part of getting insured.

Because of that, something is changing. Security teams and insurance teams are starting to work together. Companies are building systems that don’t just try to stop attacks, but also reduce the damage and recover faster if something slips through.

So yes, the hack itself is simple. Just visiting a page.

But the response is getting stronger. And for a lot of companies, this is pushing them to finally lock down one of their biggest blind spots, which is the phone in every employee’s pocket.