databreach
Latest
Former Uber security chief charged with covering up 2016 hack
The hack exposed the email addresses and phone numbers of 57 million Uber drivers and customers.
Have I Been Pwned's code base will be open sourced
It'll help ensure 'a more sustainable future' for the project after a failed acquisition process.
Federal prosecutors indict four Chinese military officers over Equifax hack
The Justice Department has charged four Chinese People's Liberation Army (PLA) officers in relation to the 2017 Equifax hack in which the personal details of some 145 million US consumers and nearly a million UK and Canadian citizens were stolen. The data included names, addresses, birth dates, Social Security numbers and some drivers license details.
Alleged JPMorgan hacker set to plead guilty
Andrei Tyurin, one of the key suspects in the huge JPMorgan Chase hack in 2014, is set to plead guilty, according to a court filing obtained by Bloomberg. The Russian reportedly struck a deal with federal prosecutors and will appear at a plea hearing next week in New York.
MoviePass confirms breach that leaked credit card numbers
On Tuesday TechCrunch reported that security researcher Mossab Hussein, with the firm SpiderSilk, found an exposed, unencrypted MoviePass database with millions of records. Some of those included numbers for its custom debit cards that are used when subscribers purchase tickets, while others listed customer's personal information including their credit card numbers, expiration dates and billing information. Another researcher had located the vulnerable information back in July and notified the company, but neither was able to get a response, while yet another found evidence the database had been public since May of this year. MoviePass took the database offline yesterday after the report, and today finally publicly responded with a statement from a spokesperson. MoviePass recently discovered a security vulnerability that may have exposed subscriber records. After discovering the vulnerability, we immediately secured our systems to prevent further exposure and to mitigate the potential impact of this incident. MoviePass takes this incident seriously and is dedicated to protecting our subscribers' information. We are working diligently to investigate the scope of this incident and its potential impact on our subscribers. Once we gain a full understanding of the incident, we will promptly notify any affected subscribers and the appropriate regulators or law enforcement. The company put its services "on hold" in July while saying it was working on its app, but couldn't close this security hole -- despite apparent attempts at notifications before restoring access "to a substantial number of our current subscribers."
After Math: Plead the fifth
With Dave Chappelle coming back to Netflix for the one, two, three, four, fif time later this month, we're taking a look at all of this week's headlines that will make you want to plead against self-incrimination.
Slack resets tens of thousands of passwords following 2015 data breach
Tens of thousands of Slack users will have to change their passwords after the company learned new details about a 2015 data breach. If you created your account before March of that year, haven't changed your password since and don't log in via a single-sign-on provider (i.e. an organization's Slack network), you'll need to update your credentials.
Indian health agency exposes details on millions of pregnant women
A health department in India exposed more than 12.5 million medical records for pregnant women after it failed to secure a database. The records span five years for a state in the north of the country, and include sensitive data such as family medical history, the mother's age, details of other children, doctor information and court case details.
Iranian hackers stole terabytes of data from software giant Citrix
Citrix is best-known for software that runs behind the scenes, but a massive data breach is putting the company front and center. The FBI has warned Citrix that it believes reports of foreign hackers compromising the company's internal network, swiping business documents in an apparent "password spraying" attack where the intruders guessed weak passwords and then used that early foothold to launch more extensive attacks. While Citrix didn't shed more light on the incident, researchers at Resecurity provided more detail of what likely happened in a conversation with NBC News.
Judge rejects Yahoo's proposed settlement over data breaches
Yahoo's proposed settlement over massive data breaches hasn't passed muster in the courtroom. Judge Lucy Koh has rejected the settlement from the company (now owned by Engadget parent Verizon) for not specifying how much victims could expect to recover. While the proposal included $50 million in damages and would pay $25 for every hour spent dealing with the breaches, Koh was concerned that it didn't reveal the scope of the settlement fund or the costs of the two years of promised credit monitoring. The judge was also worried the proposed class for the settlement was too large, as it didn't reflect the considerably smaller number of active users during the affected period.
Collection 1 data breach covers more than 772 million email addresses
If you're signed up for one of the many services that alerts you to data breaches when they're discovered (if you're not, you probably should be) then you likely have an email waiting for you. Troy Hunt runs Have I Been Pwned where he makes it his business to dig up these files as they're being passed around by hackers, and has alerted the world to "Collection #1," which claims to combine usernames and passwords from thousands of databases.
Marriott breach included 5 million unencrypted passport numbers
Marriott has good news and bad news for travelers who have passed through its hotels. The good news is the data breach disclosed back in November, which was originally believed to have exposed the data of more than 500 million people, affected fewer travelers than originally reported (though it didn't specify how many). The bad news is the data lifted from the company included millions of peoples' passport numbers.
Anonymous social network Blind left user data exposed
Blind is a workplace social network that lets employees at various companies discuss sensitive topics anonymously. The company describes it as a safe place where workers can talk about salaries, workplace concerns and employee misconduct without being identified. But Blind recently left a database server unsecured, exposing some of its users' account information, including their corporate email addresses.
NASA discloses October security breach
In an internal memo obtained by Spaceref, NASA's chief human capital officer Bob Gibbs has revealed that the agency suffered a security breach a few months ago. Investigators discovered the breach on October 23rd, and they found that an intruder gained access to a server containing the personal information (including their Social Security numbers) of current and former employees. It's not entirely clear if the data itself was compromised, and the agency still doesn't know the full scope of breach, but Gibbs wrote that "NASA does not believe that any Agency missions were jeopardized by the cyber incidents."
House committee says Equifax data breach was 'entirely preventable'
Congress clearly didn't buy Equifax's attempt to pin its massive data breach on one lone technician. The House Oversight and Government Reform Committee has released a staff report declaring that the breach was "entirely preventable" and the result of widespread, systemic flaws in Equifax's security policies. The company didn't have "clear lines of authority" in its IT structure that would have properly enacted policies, for one thing. It also had "complex and outdated" systems that didn't keep pace with its growth, wasn't prepared to help victims and made basic security missteps. Equifax let more than 300 security certificates expire, for example, making it difficult to spot intrusions.
Another Google+ data bug exposes info for 52.5 million users
Google's semi-defunct social media platform Google+ has suffered its second data breach in three months and, as a result, will be completely shuttered in April, four months earlier than previously planned.
Quora breach leaks data on over 100 million users
Today's big data breach has been announced by Q&A site Quora, affecting over 100 million registered users. What did the "unauthorized third party" get? According to CEO Adam D'Angelo: Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users Public content and actions, e.g. questions, answers, comments, upvotes Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages) Quora found the breach on November 30th and said it is still investigating. It has logged all users out, and forcing all accounts with a password to reset that password. It also said that the password data was salted and hashed to prevent attackers from using it, but to be cautious, users should also reset passwords on their other accounts if they shared the same one. There are emails going out notifying users of the breach, but right now all of the information available is organized in this FAQ.
Marriott says Starwood data breach could affect 500 million guests
Starwood Hotels has been hit by another data breach, the third such incident in as many years. Parent Marriott today revealed that the records of 500 million guests have been stolen from Starwood's guest reservation database. The hotel chain says it determined on November 19th that an "unauthorized party" had accessed the data as early as 2014.
Hackers targeted Dell customer information in attempted attack
Earlier this month, hackers attempted to breach Dell's network and obtain customer information, according to the company. While it says there's no conclusive evidence the hackers were successful in their November 9th attack, it's still possible they obtained some data.
Uber fined £385,000 in the UK for 2016 cyber-attack
Uber has been fined £385,000 ($491,000) by the UK's privacy watchdog for "failing to protect" the personal info of around 2.7 million UK users during a cyber attack in 2016. The figure isn't far off from the maximum penalty of £500,000 ($638,000) handed down to Facebook by the Information Commissioner's Office (ICO) over its Cambridge Analytica-related failures.
