databreach
Latest
Some big websites might require you to change passwords
If you receive an email from Netflix or Facebook asking you to change your password because it matches a credential from an older security breach, you may want to heed its advice. Cybersecurity expert Brian Krebs says some big companies, including the streaming service and the social network, tend to go through data from other websites' security breaches to look for log-ins that match their users'. They then force those users to change the passwords they reused to keep them safe. If you'll recall, hackers recently sold the millions of log-in combinations they stole from LinkedIn, Tumblr and MySpace a few years ago.
Retailers fight to silence customer data breaches
A consortium of retailers, including Target and Home Depot, vowed to fight a data breach notification bill. The bill, HR 2205 from Reps. Randy Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to tell customers when they've been hacked and would also require the encryption of data in both storage and transit. It would hold retailers to the same data-security standards as the financial sector. The large and powerful Retail Industry Leaders Association (RILA) sent a letter on Tuesday to House leadership saying that "it makes no sense to take one industry's regulations and apply it to a large segment of the economy without understanding the consequences."
Data breaches and spying fears are keeping people offline
Have countless data breaches and unfettered government surveillance left you nervous about doing things online? You're definitely not alone. The US National Telecommunications and Information Administration has conducted a survey revealing that nearly half of the Americans it surveyed (41,000 homes) have scaled back their internet activity over privacy and security fears. About 29 percent have avoided online finances, while 26 percent skipped online shopping. A similar amount decided against posting on social networks, and 19 percent even decided against offering "controversial" opinions online.
Hackers are trading millions of Gmail, Hotmail, Yahoo logins
Email services including Gmail, Yahoo Mail and Hotmail have fallen victim to a hack, exposing usernames and passwords for millions of users. According to Reuters, a huge data breach consisting of some 273.3 million online accounts has been reported by security expert Alex Holden of Hold Security. All told, the data breach contains 57 million accounts for the Russian email provider Mail.ru, along with 40 million Yahoo Mail credentials, 33 million Hotmail accounts and 24 million Gmail accounts.
Hacker sells data stolen from Verizon's enterprise customers
Verizon suffered a data breach, according to KrebsOnSecurity, but you can breathe easy if you're just one of the carrier's subscribers. What the hacker infiltrated was Verizon Enterprise Solutions, a division that provides services to clients from the business and government sectors. Coincidentally, it's also the task force of sorts Fortune 500 companies call in when their systems get infiltrated. Brian Krebs says a well-known member of a cybercrime forum recently posted a thread selling info on 1.5 million enterprise customers for $100,000. He also offered to share the vulnerabilities he found on Verizon's website for a price.
Hackers target firm protecting against denial of service attacks
When you dedicate your company to protecting against hacks, you make yourself a bigger target for those hacks... and one firm is learning this the hard way. Staminus, an online hosting service that focuses on protecting against distributed denial of service attacks, was the victim of an apparently giant hack last week. In addition to going offline until Thursday night, the company has confirmed that the intruders took customer data that includes payment card info, user names and (thankfully hashed) passwords. The perpetrators claim to have hijacked and reset the majority of Staminus' routers.
Wendy's looks into claims of a credit card data breach
If you grabbed a bite to eat at a Wendy's (you know, the other other big burger chain) using a credit or debit card, you might want to check your financial statements. The restaurant tells security guru Brian Krebs that it's investigating reports of a possible card data breach that let fraudsters go on spending sprees. It's not clear just how far-reaching the incident might have been, but Wendy's says that it did get reports of "unusual activity" on cards that had recently been used at "some" of its locations. Let's just hope the damage is limited -- the last thing Americans need is yet another large-scale intrusion that leaves millions of people vulnerable. [Image credit: AP Photo/Michael Dwyer]
Hyatt is the latest hotel chain to spot malware on its systems
Unfortunately, Hilton isn't the only hotel chain grappling with malware on sensitive computers. Hyatt is now warning travelers that it recently spotted malware on its payment processing systems (on November 30th, the company tells us). It's still investigating what happened and has precious few details, but it maintains that you can "feel confident" using your card. Unfortunately, that's not much help if you recently stayed at a Hyatt. How long does it think the malware was hanging around? And how much damage did the rogue code do? Hyatt tells that it'll share more when the investigation is over. Until it offers the full scoop, your best option is to watch your financial statements for any shady behavior.[Image credit: AP Photo/Charlie Riedel]
Sanders campaign regains access to DNC voter info (updated)
Bernie Sanders' National Data Director has been fired amid accusations from the Democratic National Committee that he viewed confidential voter information collected by the Hillary Clinton campaign. The DNC maintains a master list of likely Democratic voters and rents this out to campaigns, which then add their own, confidential data. Firewalls are in place to protect campaigns from viewing rival information, though the Sanders staff says a glitch on Wednesday allowed it to access Clinton's data. Sanders Campaign Manager Jeff Weaver blamed the DNC's software vendor, NGP VAN, for allowing the breach, The Washington Post reports.
Wetherspoon hack exposes over 600,000 customers
Another week, another hack. JD Wetherspoon, the owner of countless cheap British pubs, has revealed that an older version of its website was hacked between June 15th and 17th, putting over 600,000 customers at risk. The company says it was informed of the attack on December 1st and immediately called in security specialists, who confirmed the breach a day later. All customers were then notified via email on December 3rd.
Target settles data breach lawsuit with banks for $39 million
Nearly two years after Target's massive data breach leaked customer payment info, the retailer has reached a settlement with financial institutions. The company agreed to pay $39 million to the likes of MasterCard and banks who filed claims stemming from the 2013 incident. More specifically, Target will pay $20 million to the settlement class and $19 million to MasterCard to fund its Account Data Compromise program that ties into the hack. These figures are in addition to the $10 million settlement that the retail company already agreed to with lawyers for individual victims and its $67 million settlement with Visa.
VTech's data breach includes children's photos and chat logs
News of VTech's data breach affecting nearly 5 million customers first broke last week, and now it appears other kinds of info were easily accessible to hackers. Motherboard reports that the company kept photos of parents and children alongside "a year's worth" of chat logs on its servers where prying eyes could easily find them. The same hacker that alerted Motherboard to the initial vulnerability late last week found that VTech left the images and conversations from its Kids Connect service exposed as well. The company says that while images and sound clips are encrypted with AES128, the chat logs were not.
Hilton confirms malware accessed payment info at its hotels
If you've stayed at one of Hilton's hotels in the past year, you might want to check your credit card history. The chain has confirmed a report that malware compromised its payment systems, putting your data at risk. The intruders got in between November 18th and December 5th in 2014, and between April 21st and July 27th this year. The malware didn't expose home addresses or PIN codes, but it did get access to card numbers, security codes and names -- enough that hackers could potentially make purchases.
Amazon resets passwords that might have been 'exposed'
Did you recently get a notice that Amazon changed your password? You're not alone. Numerous readers tell ZDNet that Amazon reset their passwords after learning that the login might have been "improperly stored" or "transmitted" in a way that could expose it to others. The company is shy about what happened (is it a data breach? A security hole?), but doesn't believe that someone actually swiped your info -- it's just giving you a new password out of an "abundance of caution." Gee, thanks. We're glad to see Amazon taking a better-safe-than-sorry approach, but we've reached out to the internet giant to get a better sense of what happened... and whether or not you have reason to be nervous.[Image credit: AP Photo/Elaine Thompson]
US prisons allegedly record more inmate calls than they should (update: response)
It might not just be everyday people who've been subject to illegal surveillance -- prisoners may be victims, too. An anonymous hacker has given The Intercept phone records showing that prisons have recorded "at least" 14,000 calls between inmates and lawyers through software from Securus. As you might imagine, that potentially represents huge violations of both the attorney-client privilege and Sixth Amendment protections against interference with your right to counsel. Prosecutors could use these recordings to cheat at trial by getting case details that they're not supposed to know. In fact, a recent Austin lawsuit accuses Securus of contributing to just that kind of trickery.
US prosecutes man who hacked identities to help ISIS
Extremism and terrorism are complex things in the internet era, and US federal prosecutors are learning this first hand. The Justice Department recently charged Kosovo citizen Ardit Ferizi with leading a hacking team that swiped the personal data of US military staffers in order to help Islamic State in Iraq and Syria (ISIS) supporters kill as many as 1,000 Americans. That campaign hasn't panned out, as you might have guessed, but it makes the consequences of a typical data breach look timid by comparison.
Scottrade learned about a data breach from law enforcement
Companies typically find out about data breaches first-hand, and bring in the police after the fact to (hopefully) identify the culprits. Unfortunately, Scottrade didn't even have that luxury: the investment firm only learned about a huge breach after federal law enforcement showed up at its door with word of an ongoing investigation. The intruders compromised roughly 4.6 million accounts between late 2013 and early 2014. They focused primarily on snagging contact information, but the targeted system also included information as sensitive as Social Security numbers.
Government audit finds federal networks unprepared for cyberattacks
The Government Accountability Office (GAO) has discovered that 24 federal agencies are unprepared to protect their networks in the face of cyberattacks. According to the results of a recent GAO audit, these agencies continue to have weaknesses when it comes to detecting unauthorized network access, managing software and hardware configuration and planning for operations in case of network disruption, among other things. The agency says these weaknesses put federal personnel's sensitive information at risk of being pilfered, just like what happened to the people whose identities were stolen when the Office of Personnel Management was hacked. Hackers got away with 30 years worth of data -- including 21.5 million Social Security Numbers -- from that attack.
Hilton looks into claims its hotels' shops were hacked
If you've been spendy at one of Hilton's hotels in recent memory, you may want to double-check your financial records. The company is investigating claims by security guru Brian Krebs that hackers compromised banking card data at a "large number" of Hilton's gift shops and restaurants, ranging from Doubletree locations all the way to posh Waldorf Astoria hotels. The intruders reportedly broke into point-of-sale machines as far back as November 2014, and it's possible that their attacks are continuing to this day.
OPM hackers took more fingerprint data than first thought
It's safe to say that the Office of Personnel Management data breach was already bad news for government workers, but things just got a bit worse. The agency now estimates that the intruders took the fingerprints of 5.6 million people, not the originally determined 1.1 million. Yes, that's five times more than first thought. Officials are quick to note that this digit data won't be as useful to the hackers as the other sensitive information leaked through the attack (fooling a fingerprint reader requires some skill). However, there's a concern that the thieves could find a way to misuse those prints -- and it's not as if you can change your fingers once they've been compromised. While there's no immediate reason to panic if you've worked for the feds, there could be additional trouble down the road. [Image credit: Bloomberg via Getty Images]
