SecurityBreach
Latest
Millions of LinkedIn passwords stolen in 2012 surface online
You've probably already forgotten that LinkedIn was hacked back in 2012, but you could still be affected by that four-year-old security breach. According to Motherboard, someone going by the name "Peace" is selling (if he hasn't sold them yet) 117 million LinkedIn username and password combos on a dark web marketplace for 5 Bitcoins or around $2,300. When the attack was first discovered, only 6.5 million users' details were leaked -- this dump reveals that the breach was much, much bigger. In fact, a hacked data search engine told Motherboard that the database Peace listed contains 167 million accounts. It's just that only 117 million have both usernames and passwords.
Sanders campaign regains access to DNC voter info (updated)
Bernie Sanders' National Data Director has been fired amid accusations from the Democratic National Committee that he viewed confidential voter information collected by the Hillary Clinton campaign. The DNC maintains a master list of likely Democratic voters and rents this out to campaigns, which then add their own, confidential data. Firewalls are in place to protect campaigns from viewing rival information, though the Sanders staff says a glitch on Wednesday allowed it to access Clinton's data. Sanders Campaign Manager Jeff Weaver blamed the DNC's software vendor, NGP VAN, for allowing the breach, The Washington Post reports.
Hackers stole 21.5 million Social Security Numbers in government breach
Last month, the US Office of Personnel Management (OPM) learned it was the victim of a massive cyberattack -- a breach that compromised personnel data of 4.2 million current and former federal employees. That's really bad. While investigating the incident, the OPM found evidence of another attack: one that compromises the privacy of 21.5 million individuals from the organization's background check database. That's a lot worse.
Massive hack compromises 4 million federal employees' private info
A group of hackers has attacked the Office of Personnel Management (OPM), stealing sensitive data on 4 million current and former American federal employees. Law enforcement sources tell Reuters that the government believes the perpetrators are from China and have penetrated not just OPM's IT systems, but also the records it stores at the Department of the Interior's data center. According to the New York Times, security researchers believe it's the same crew that attacked insurance companies Anthem and Primera. As you might know, OPM is in possession of a huge number of personnel info since it's in charge of conducting background checks on potential federal employees. It probably looks like a goldmine for data thieves and was even targeted last year (nothing was stolen at that time, though) by a group, which the government suspects is also based in China.
Chick-Fil-A admits possible credit card breach
Chick-Fil-A is spending the beginning of 2015 not just serving chicken to hungry partygoers on their way home, but also dealing with a possible credit/debit card breach. The fast food chain has just issued an official statement admitting that it has "recently received reports of potential unusual activity involving payment cards used at a few of [its] restaurants." It says the company has been notified on December 19th of suspicious payment activities on cards used in some of their outlets, so it has begun investigating what happened with help from authorities and IT firms. This aligns with what security journalist Brian Krebs wrote in mid-December: according to the piece, the company has been receiving rather inconsistent reports of suspicious activities from banks since November.
Hackers stole Kickstarter user data, but payment info was left untouched
In a blog post this afternoon, CEO Yancey Strickler said hackers gained access to "some" of Kickstarter's customer data last week. The co-founder of the crowdfunding outfit went on to say that the breach was closed immediately and security measures were boosted system wide. As of now, no credit card info was nabbed by the infiltrators -- only usernames, email and mailing addresses, phone numbers and encrypted passwords. As you might expect, you're strongly encouraged to change the password associated with your account. "We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come," Strickler wrote.
Verizon left security researcher hanging while reported URL hack revealed subscribers' texting history (updated)
Long wait times and a complete lack of transparency -- no, this isn't a story about a typical call to Verizon customer support. It's what happened when a security researcher discovered a critical privacy vulnerability on Verizon's consumer site and tried, nearly in vain, to get it patched. Back in August, researcher PRVSEC found that a simple URL exploit could allow any subscriber using the site's 'Download to SpreadSheet' function to access any other user's texting history. The hack required nothing more than swapping a subscriber's cell number into the code to view information like date, time, sendee and message status -- actual contents of the SMS or MMS sent could not be accessed. It took Verizon more than a month from the time PRVSEC submitted the initial report to bring the case to a complete resolution and close the exploit, and an additional month to make the issue public. That the issue was even addressed in the first place is somewhat of a personal victory for PRVSEC, as Verizon's site doesn't offer any direct contact info to report vulnerabilities. PRVSEC was only able to bring the URL exploit to Verizon's attention though a LinkedIn contact. Verizon has since created a dedicated email contact, CorporateSecurity@verizonwireless.com, to field these security issues, but the company's overall slow response time, inaccessibility and lack of transparency should give its subscribers cause for concern. We've reached out to Verizon for comment on the matter and will update should we hear back. Update: A Verizon rep responded to our request for comment saying, "[We] take customer privacy very seriously, and we addressed this issue as soon as our security teams were made aware of it. Customer information was not impacted. "
Vodafone hacker accesses banking data of two million customers in Germany
Vodafone has confirmed that hackers have accessed its servers in Germany, gaining access to personal information and bank details of approximately two million customers. The operator says the breach was a "highly sophisticated and illegal intrusion" that it believes was masterminded by an insider -- and indeed a suspect has already been identified and handed over to police. It's not often you hear about a successful raid on a mobile operator, which is why Vodafone believes it could only have been conducted by someone with an "inside knowledge of [its] most secure internal systems." Vodafone customers outside of Germany aren't affected, and those inside the country should already have been contacted. The company says credit card information, mobile phone numbers, passwords and PIN numbers were not accessed in the attack, although Vodafone is warning customers to be especially vigilant about potential phishing attacks in the future.
Ubisoft security breach exposes user data, account holders urged to update passwords
If you've ever signed up for a Uplay account, your information could now be in the hands of criminals. Ubisoft's confirmed that a security breach at one of its sites, now closed, has granted hackers access to sensitive user data (i.e., usernames, emails and passwords). Critically, no actual financial information was leaked, owing to the fact that Ubisoft doesn't retain personal credit or debit card account numbers on its servers. Regardless, the Assassin's Creed developer is taking proactive measures, contacting account holders directly and strongly advising them to update any related passwords. You can find the full email just after the break.
Facebook security bug exposed 6 million users' personal information (update)
Today, Facebook announced a security bug that compromised the personal account information of six million users. In a post on the Facebook Security page, the site's White Hat team explained that some of the information the site uses to deliver friend recommendations was "inadvertently stored with people's contact information as part of their account on Facebook." When users downloaded an archive of their account via the DYI (download your information) tool, some were apparently given access to additional contact info for friends and even friends of friends. The post continues: We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool. Facebook says it's temporarily disabled the DYI tool to fix the breach. We've reached out to the site for further comment; for now, read the official statement via the source link below. Update: Facebook has responded to our inquiries and stated that while the bug was discovered earlier this month, "it had been live since last year." They immediately disabled the tool, fixed the bug and reenabled it within 24 hours of the bug's discovery. The bug was reported to them through a White Hat program for external security researchers.
Microsoft execs' Xbox Live accounts hacked, investigation still underway
Microsoft has just confirmed that a group of hackers have indeed accessed the Xbox Live accounts of several of its past and present "high-profile" employees. News of the breach was first reported by Ars Technica, which itself had been the victim of a DoS attack this last weekend, potentially linked to the same group. Evidence pointing to hacking collective Team Hype's alleged involvement surfaced when videos depicting its efforts were found online; videos that demonstrated the group's reported use of illegally obtained Social Security data to gain access to and sell off Xbox Live user accounts. According to Microsoft's recently issued statement, the company's working with authorities to "disable this current method" and cut off the possibility of future attacks. For now, it appears this security compromise is unrelated to a UK incident which saw Microsoft's Xbox Entertainment Award voting app temporarily expose user data. We'll update you as soon as we hear more.
Daily Update for September 4, 2012
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get all the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the inline player (requires Flash) or the non-Flash link below. To subscribe to the podcast for daily listening through iTunes, click here. No Flash? Click here to listen. Subscribe via RSS
Blizzard suffers security breach, encrypted passwords and authenticator data compromised
According to a recent Blizzard security update, now might be a good time cook up a new password. Blizzard's security team found that its internal network has been illegally accessed, and answers to personal security questions, authenticator data and cryptographically scrambled Battle.net passwords have found their way into the perpetrator's hands. The team is confident, however, that the compromised data isn't enough to give the attacker access to user accounts, and says that there is no evidence to suggest financial data (credit cards, billing addresses and customer names) were accessed. Blizzard President Mike Morhaine recommends that users update their passwords all the same, and we couldn't agree more. Check out his official statement at the source link below and get that Diablo III account locked down.
Microsoft fights back against Xbox Live account threats, begs you to update your security settings
Redmond's console gaming network may not have suffered a breach of security comparable to last year's PSN fumble, but that doesn't mean it hasn't braced for impact. According to Xbox Live General Manager Alex Garden, Microsoft has made great strides in account security by taking legal action against sites who share phished usernames and passwords, enacting two-step login verification for untrusted devices and pushing fresh security updates to devices. Even so, Garden says that many of Xbox Live's account protection measures rely on member profiles being up to date, and heartily encourages users to make sure their security information is accurate. Get the word directly from the horses mouth at the source link below.
LinkedIn confirms security breach, 'some passwords' affected
Reports began swirling this morning that around six million passwords attached to LinkedIn accounts had been compromised, and after looking into the matter, the site has confirmed that "some of the passwords" attached to accounts of LinkedIn members have been affected. The network doesn't specify the number of passwords leaked, nor does it confirm the rumored count of six million. It does, however, promise that it will invalidate passwords of the hit accounts -- and vows to send an email to each affected user with instructions on how to reset their password, followed by another piece of correspondence explaining what happened. Below you'll find the company's official statement, as well as what it is doing to ensure its members are safe.
Microsoft Store hacked in India, passwords stored in plain text
Frequenters of India's online Microsoft Store were briefly greeted with the suspicious visage of a Guy Fawkes mask this morning, following a hack that compromised the site's user database. According to WPSauce, Microsoft Store India's landing page was briefly taken over by a hacker group called Evil Shadow Team, who, in addition to putting a new face on Windows products, revealed that user passwords were saved in plain text. The group's motivations are unknown, though the hacked page warned that an "unsafe system will be baptized." The store is now offline, suggesting that Microsoft may have regained control. Read on for a look at the compromised password database.[Thanks to everyone who sent this in]
Oops! Motorola sold refurbished Xooms without deleting previous owners' data
Usually, when passwords and personal information are exposed, it's because someone hacked a company's not-so-secure system. Motorola, however, managed to put people's info at risk without such malfeasance when it failed to wipe the memory of a batch of refurbished Xooms. The tablets in question were sold by Woot.com between October and December of last year, and Moto is claiming that it made the mistake on only small number of slates. Of course, we don't know exactly how many Xooms were shipped with previous owners' data onboard, but we do know that the company is actively attempting to make amends. Moto's offering two years of Experian identification protection services to those whose info was exposed and owners of affected Xooms are getting a little something too. Just send the device back to Motorola on the company's dime -- where it'll be properly reset and sent back to you, along with a $100 American Express gift card for your efforts. Wondering if you're among the unlucky? Hit the PR after the break for more info, and those with Wooted Xooms can plug in their slate's serial number at the source link below to find out for sure.[Thanks, Scott]
VeriSign revealed to have suffered repeated security breaches in 2010
It took some digging through more than 2,000 pages of SEC documents, but Reuters revealed today that VeriSign was attacked "repeatedly" by hackers in 2010, and that some undisclosed information was stolen from the company. The key danger there is the DNS records that the company manages -- which ensure that URLs take you to the correct website -- but VeriSign says that its executives "do not believe these attacks breached the servers that support our Domain Name System network." As Reuters notes, however, the company isn't ruling anything out. Details on the attacks themselves (or the exact number and timing of them) are otherwise hard to come by, but it's reported that VeriSign's security staff did not notify top management until September of 2011 -- although they are said to have "responded" to the attacks themselves.
Chinese hackers target U.S. Chamber of Commerce, sensitive data stolen
According to sources close to The Wall Street Journal, Chinese hackers are at it again, this time hitting the U.S. Chamber of Commerce and capturing information from three million members. Those familiar with the matter told the WSJ that hackers stole around six weeks worth of emails regarding Asian policy, but may have had access to sensitive correspondences for as long as a year. The Chamber only learned it was under attack when the FBI sent an alert that servers in China were stealing information, although the exact amount of data stolen is unknown. After confirming the breach, the Chamber shut down and destroyed parts of its computer network, proceeding to revamp its security system over a 36-hour period. Unfortunately, this isn't the first time the U.S. of A has fallen victim to Chinese hackers, as both Google and NASA have experienced breaches over the past few years. The Chamber is currently investigating the attack, hoping to find some digital clues that might reveal the details of who done it and why.
Sony exec says PSN hack was 'a great experience,' apparently means it
The following are what most humans would call "great experiences": eating gelato on a hot summer's day, riding a tandem bike with Anthony Hopkins, or, in the case of Sony executive Tim Schaaff, having your life's work nearly destroyed by a band of hackers. Because for Schaaff, president of Sony Network Entertainment, this spring's persistent PSN outage wasn't so much devastating as it was... enlightening. Here's how he described the hack (and ensuing epiphany) to VentureBeat's Dylan Tweney: "I think for people running network businesses, it's not just about improving your security, because I've never talked to a security expert who said, 'As long you do the following three things you'll be fine, because hackers won't get you... the question is how do you build your life so you're able to cope with those things. It's been a great experience." Phenomenal as it must've felt to get in touch with his inner defeatist, Schaaff admitted that he "would not like to do it again" -- probably because his mouth can only house one foot at a time.
