databreach
Latest
Restaurant app Zomato hack leaves 17 million users exposed
If you use Zomato to look up restaurants, you may want to check your account: someone has infiltrated its system and got away with 17 million users' IDs, usernames, names, email addresses and hashed passwords. The service says no payment information was stolen, since credit card details are stored separately. It also doesn't have access to your Facebook or Google account, so you don't have to worry about anything if you simply linked your account instead of making a standalone one for Zomato. But if you did make a standalone one for Zomato, it's best to change your password ASAP.
Phishing campaign alerts DocuSign to customer data breach
A bizarre email address or an obvious misspelling are good indicators that the recent email telling you to reset your Apple ID password isn't what it seems. But there are more sophisticated (and believable) phishing attacks you have to watch out for, like the recent Google Docs scam that linked out to a legit-looking web app. Last week, DocuSign spotted an uptick in phishing emails imitating the company's branding. Being in the business of secure document management, it's not uncommon for DocuSign's name to be on the face of a phishing email; but upon further investigation the firm discovered why this particular campaign was so targeted: It'd been hacked.
'Orange is the New Black' hackers may have stolen 36 other shows
When the hackers who swiped Netflix's unreleased Orange is the New Black season warned that they had shows from other TV networks, they might not have been kidding around. TheDarkOverlord has reportedly provided DataBreaches.net with a "preview" of the shows it obtained from Larson Studios, and it looks like there could be 36 more titles in the mix -- many of which you've likely heard about. The mix includes recent and yet-to-air episodes of Fox's New Girl, FX's It's Always Sunny in Philadelphia, IFC's Portlandia and CBS' NCIS: Los Angeles, among others. There are also singular titles like the Vin Diesel movie XXX: Return of Xander Cage as well as Netflix's Bill Nye Saves the World and a YouTube Red original.
Over 1,000 Intercontinental hotels hit by a data breach
The Intercontinental Hotels Group (IHG) thought only a handful of Holiday Inns were affected by a data breach that happened last year, but it turned out to be a much bigger deal. In a statement posted on its website, IHG has admitted that it found signs of malware designed to access credit card data used at front desks in a lot more locations. It didn't mention a specific number, but it linked to a tool where you can look up which Holiday Inns, Intercontinentals and Crowne Plazas were affected. A Krebs on Security reader did some digging, though, and found 1,175 properties in IHG's tool. That's a sizeable chunk of the 5,000 hotels it has worldwide.
UK police often misuse sensitive data for personal reasons
It's no wonder people are so fervently concerned with privacy when little by little, it seems harder to maintain. You could now be denied entry into the US if you refuse to unlock your phone and hand it over to border agents, for example; and on the more secretive side, London police have just been credibly accused of spying on innocent Greenpeace protestors and journalists for years. While it's hard to avoid becoming numb to stories of clandestine surveillance campaigns and creeping state powers, a recent and illuminating report from The Police Federation of England and Wales details the extent at which officers are routinely breaking data protection laws by using work resources for personal reasons.
Three caught up in another embarassing data breach
A technical issue has given some Three customers access to another person's account information, including their name, address, phone number and call history. The scale of the problem isn't clear, but it's likely to be small. Three says it's received "less than 20" reports so far from customers, and is now investigating the matter. As the Guardian reports, the mistake has allowed a number of Three customers to view other people's personal information after logging in to their account online.
Three finds more customers affected by 2016 data breach
Three has revealed that a customer data breach it caught wind of last November was more extensive than first thought. Using stolen employee logins, ne'er-do-wells gained access to a database used to manage handset upgrades, comprising customer details such as names, addresses, dates of birth, mobile numbers and information about mobile contracts (but no financial data). Initially, just over 130,000 subscribers were said to be affected, but upon further investigation, another 76,373 accounts have now been added to that total. No fraudulent activity has been spotted, but all newly identified customers have been contacted, Three says.
LeakedSource and its database of hacked accounts is gone
A website that sold access to a database of more than 3 billion hacked accounts has suddenly vanished. LeakedSource had built a business on collecting and packaging information exposed through various data breaches. It gathered compromised account details and made it searchable so users could see which of their email addresses, phone numbers and passwords were vulnerable. The site was controversial, however, because anyone could pay for advanced search capabilities. LeakedSource said its mission was to educate people who might be affected, and pressure companies to disclose breaches. Critics argued, however, that it gave hackers the means to access innocent people's accounts.
FBI looks into Chinese hack targeting federal insurance
The US' Federal Deposit Insurance Corporation hasn't had an easy time of things in recent years: it's been the subject of numerous hacks in recent years, starting in 2010. And now, the FBI wants answers. Reuters sources understand that the law enforcement agency is investigating how the intruders got in, and that the FDIC believes the Chinese military sponsored the attacks. While the full details of the initial hack aren't available, it took a while to recover. The FDIC took until "at least" 2012 to make sure that its systems were clean, according to an internal probe.
Data breach at LinkedIn's Lynda.com affects 55,000 accounts
Microsoft is getting a little bit more than it bargained for now that its acquisition of LinkedIn is official. LinkedIn's training site Lynda.com is notifying users of a database breach that includes the passwords of just under 55,000 accounts. All those passwords were "cryptographically salted and hashed" to prevent access the site says, but it's resetting the logins just in case. Lynda.com is also alerting 9.5 million customers "out of an abundance of caution," according to the email it's sending to users.
Ashley Madison settles charges over its massive data breach
Ashley Madison is paying the price for the hack that exposed the info of 36 million customers, and we don't just mean through executive departures. The owners of the cheat-on-your-spouse site, Ruby Corp, have settled charges from both the US Federal Trade Commission and 13 states alleging that it both misled users and didn't do enough to protect their info. The actual fine is small -- Ashley Madison was intended to pay a total of $17.5 million, but can only afford to pay just over $1.6 million. However, the reforms may go a long way toward solving some of the underlying problems that led to both the breach and shady business practices.
Professional football is the latest victim of a giant data leak
Big data leaks are becoming more and more common, and today another massive victim has been revealed: professional soccer (or football, if you live anywhere but the US). German publication Der Spiegel just released the first in what will be a steady stream of details about corruption in various European football clubs as well as the sport's players. A group known as "Football Leaks" got its hands on a whopping 1.9 terabytes of data, covering 18.6 million documents -- including secret agreements between clubs and players. Basically, it's the Snowden release of professional football.
Navy leaks personal data for over 130,000 sailors
Another day, another data breach. While everyone is focused on pre-holiday activities, the Navy reveals that it was notified by Hewlett Packard Enterprise in October about a compromised laptop. Now, an investigation has determined that names and social security numbers of 134,386 current and former sailors had been accessed by unknown individuals. Other than dumping the news out while few are paying attention, the Navy says it will notify those affected "in the coming weeks," by phone, letter and email.
FriendFinder breach shows it's time to be adults about security
Like all sectors -- government, retail, finance and healthcare -- the adult and porn businesses are feeling the consequences of not making security a priority, in the worst possible ways. Namely, by getting hacked and pwned, hard. Take for example this week's breach-bloodbath, in which FriendFinder Networks (FFN) lost their Sourcefire code to criminal hackers and put their users in serious risk. Combined with Ashley Madison's many deceits, FFN also contributed to the deepening public mistrust about the very sensitive data exchange between adult companies and their consumers.
AdultFriendFinder hack puts 412 million accounts at risk
There have been some massive data breaches in recent years, but the latest might just top them all. LeakedSource reports that a hack targeting Friend Finder Network has exposed over 412 million accounts, most of them (339 million) belonging to sex hookup site AdultFriendFinder. Users at Cams.com (62 million), Penthouse (7 million) and a handful of smaller sites were also affected. This reportedly represents about 20 years' worth of data, and handily eclipses the 360 million records from the MySpace breach.
US bank authority warns of data breach that took 10,000 records
Government data breaches aren't always the work of foreign intruders or even disgruntled employees. Sometimes, it's a staffer who simply isn't security-conscious. The US' Office of the Comptroller of the Currency has revealed that a worker took over 10,000 activity and staff records with him sometime in November 2015, shortly before he retired. The unnamed worker copied a "large number" of files to two thumb drives and, when asked about the data, couldn't find the drives to give them back.
Opera warns that its web sync service was hacked
Data breaches happen all too often, but it's rare that they target your browser's sync service... and unfortunately, Opera just became one of those exceptions. The company is warning users that it detected a hack in its sync system that may have given intruders access to login details. While your passwords are likely safe (all synced passwords are encrypted, for example), Opera isn't risking anything. It's resetting all sync account passwords, and it recommends that you change any linked third-party passwords to be on the safe side.
Oracle data breach opened credit card payment systems to attack
Data thieves don't always have to go straight to the source to swipe payment details... sometimes, they can take a roundabout route. Oracle has confirmed to security guru Brian Krebs that hackers breached a support portal for Micros, the point-of-sale credit card payment system it acquired in 2014. It's not certain just how many systems were breached (Krebs' sources say over 700), but the intruders had slipped malware on to the portal that would let them grab logins for the companies using Micros. They wouldn't have had direct access to payment data, but there's a chance those account details could be used to slip malware into the credit card systems and then grab sensitive info.
Android will tell you when new devices access your Google account
If you have a Google account, few things are more disconcerting than getting a notice that an unfamiliar device just got access... especially when you only got the notice while checking your email considerably later. You might not miss that vital heads-up after today, though. Google is introducing native Android notifications that pop up whenever a new device accesses your account, giving you a chance to change your password before an intruder goes on a shopping spree using your credentials. If you're ever suspicious, it takes one tap to review what happened.
Hacker claims to have 655,000 health care records for sale
Hackers are getting all too creative in their bids to hold health care data for ransom. An intruder is selling records for 655,000 patients from three US health care organizations (in Atlanta, the central US and Farmington, Missouri) on the Dark Web as part of a ransom attempt. Details of what happened aren't clear, but the hacker claims to have exploited flaws in the Remote Desktop Protocol to perpetrate the heists. Also, this person maintains to DeepDotWeb that the companies had a chance to "make it go away" for a "small fee," but didn't -- the sale is upping the ante.
