SecurityBreach
Latest
Hacker pleads guilty to AT&T iPad breach
Nearly six months after his arrest, one hacker pleaded guilty to charges that he exposed the email addresses of over 100,000 AT&T iPad 3G users. It's been a year since Daniel Spitler and his compatriot, Andrew Auernheimer, coaxed Ma-Bell servers into delivering the goods, with a brute force script they lovingly named the iPad 3G Account Slurper. The hacker's plea agreement suggests a 12 to 18-month sentence, which is a lot more lenient than the 10-year maximum we hear he could face. Spitler's collaborator is apparently still in plea negotiations with the prosecutor. Both men initially claimed they were just trying to draw attention to a security hole, but maybe next time they'll think twice before embarking on such altruistic endeavors.
Codemasters website hacked, 'tens of thousands' of personal accounts compromised
This must be the season of the hacking witch as we've now seen yet another company's online security walls breached. Independent UK games developer Codemasters, responsible for titles like Dirt 3 and Overlord, has reported that its website was hacked on the third of June, exposing the names, addresses (both physical and email), birthdays, phone numbers, Xbox gamer tags, biographies, and passwords of its registered users. Payment information wasn't compromised, but when you consider that almost everything else was, that feels like hollow consolation. For its part, Codemasters says it took the website offline as soon as the breach was detected and a subsequent investigation has revealed the number of affected users to be in the tens of thousands. Those who might have been affected directly are being emailed with penitent apologies, while the rest of us are being pointed to the company's Facebook page while its web portal is kept offline.
Sony Pictures breach affects 37,500 users, far less than Lulz Security claimed
Well, Lulz Sec may have overstated its level of success by declaring it had stolen 1,000,000 passwords from Sony Pictures -- turns out the number is closer to 37,500. Now granted, any breach of user data is unacceptable, but when a hacker collective's haul is less than four percent of what it claimed, everyone can breathe a little easier. The troublemakers may have made off with email addresses, phone numbers, and passwords, but Sony says no credit card or social security numbers were compromised. The company issued a statement, which you'll find after the break, and is working with the FBI to track down those responsible. Hopefully this finally closes the door on Sony's security woes, and we can go back to bringing you stories about Angry Birds ports and Kinect hacks.
Sony Pictures hacked by Lulz Security, 1,000,000 passwords claimed stolen (update)
Oh, Sony -- not again. We've just received numerous tips that Lulz Security has broken into SonyPictures.com, where it claims to have stolen the personal information of over 1,000,000 users -- all stored (disgracefully) in plain text format. Lulz claims the heist was performed with a simple SQL injection -- just like we saw the last time around. A portion of the group's exploit is posted online in a RAR file, which contains over 50,000 email / password combos of unfortunate users. We've downloaded this file (at our own risk, mind you) and can verify these sensitive bits are now in the wild, though it remains unclear if what's published matches reality. In addition to user information, the group has blurted out over 20,000 Sony music coupons, and the admin database (including email addresses and passwords) for BMG Belgium employees. Fresh off the heels of the PlayStation Network restoration, we're guessing the fine folks in Sony's IT department are now surviving solely on adrenaline shots. Update: Sony Pictures has confirmed to Reuters that some of its websites have been hacked, and says that it's currently working with the FBI to identify the perpetrators. [Thanks to everyone that sent this in]
Sony says PlayStation Network will return to Asia, starting tomorrow
Good news, Asia -- the PlayStation Network is finally coming back. Today, Sony announced that it will restore its gaming network across the continent, more than a month after falling prey to a crippling data breach. The company's PSN services are already up and running across other parts of the world and, beginning tomorrow, will light up once again in Taiwan, Singapore, Malaysia, Indonesia, Thailand and even Japan, which had been harboring serious reservations about the network's security. Gamers in South Korea and Hong Kong, meanwhile, will have to wait a little longer before returning to normalcy, though Sony is hoping to completely resolve the issue by the end of the month. The company certainly seems eager to put this saga to bed, and for understandable reasons. The incident has already cost Sony an estimated $171 million in revenue -- not to mention the untold numbers of suddenly wary consumers.
Sony woes continue as SOE confirms data breach (update: 24.6 million accounts affected)
Are you starting to feel bad for Sony yet? No? Maybe this will change your mind. Sony Online Entertainment has, apparently, been the victim of another breach that has, according to Nikkei.com, resulted in the release of 12,700 credit card numbers -- and presumably some other information as well. 4,300 of those credit card numbers are said to be Japanese, but no saying how many are American. Thankfully, data is said to be from 2007, minimizing the number of still-valid credit cards exposed making us wonder if perhaps this wasn't some sort of backup that was exposed. Regardless, SOE's online services were taken offline earlier today and, well, now we know why. We're presently expecting further information from the company but, until then, feel free to continue cowering in the corner and quietly sobbing onto your compromised credit cards. [Warning: subscription required] Update: According to the Wall Street Journal, Sony has also confirmed that the latest attack accessed personal information for a staggering 24.6 million accounts. Such info includes names, addresses, telephone numbers, email addresses, gender, date of birth, login ID, and hashed passwords. Ruh roh. Full press release after the break.
Hackers disguise phone as keyboard, use it to attack PCs via USB
We've seen hackers use keyboards to deliver malicious code to computers, and we've seen smartphones used as remote controls for cars and TV -- but we've never seen a smartphone disguised as a keyboard used to control a computer, until now. A couple folks at this year's Black Hat DC conference have devised a clever bit of code that allows a rooted smartphone -- connected to a PC through USB -- to pose as a keyboard or mouse in order to attack and control the computer. The hack takes advantage of USB's inability to authenticate connected devices coupled with operating systems' inability to filter USB packets, which would enable users to thwart such an attack. While utilizing a digital costume to hack a computer is a nifty idea, it doesn't pose much additional risk to users because the method still requires physical access to a USB port to work -- and most of us would probably notice someone plugging a smartphone into our laptop while we're using it. [Image Credit: Angelos Stavrou / CNET]
AT&T sends apology email to customers affected by iPad 3G security breach
Good news if you're one of the 114,000 iPad 3G owners whose email address was uncovered by hackers spoofing the AT&T ICC database the other day -- AT&T is very, very sorry, and it's written you a nice email to make it all better. Ma Bell says the "hackers deliberately went to great efforts with a random program," which is pretty funny -- we can only imagine the damage insincere hackers making a half-hearted effort with a non-random program could have done. In any event, AT&T says the hole's been patched, that it's working with law enforcement to figure out who's liable, and promises that it takes your privacy seriously. Yes, it's all very nice -- although we're sure affected customers would much rather hear that they're being comped a free month of service. Full email after the break. [Thanks, Brad]
FBI steps in to investigate iPad security breach
You might recall yesterday's news that a little trickery into AT&T's systems brought about the breach of 114,000 Apple iPad-owning email addresses. Now it seems the FBI has taken an interest in the case and has launched an investigation into the "potential cyber threat" of the snafu. As far as we know and have seen, the hackers were able to obtain just email addresses, although with that comes the knowledge that the victims in question own iPad 3Gs and don't mind AT&T's service -- don't click on any odd billing statements if you were affected. As stated previously, the carrier has subsequently apologized and proverbially "plugged the hole" from which the info was obtained. Not sure anything will come of this inquiry, but we'll let you know what we hear.
AT&T breach reveals 114,000 iPad owners' email addresses, including some elite customers
Uh oh. According to Valleywag, an AT&T security breach led to the exposure of 114,000 email addresses (and associated SIM / ICC identifiers) belonging to Apple iPad owners. A group of hackers calling themselves Goatse Security (be careful looking that one up) figured out a number of ICC-IDs and ran a script on AT&T's site through a faked iPad UserAgent, which would then return the associated addresses. Some of those affected were actually quite big names, including the CEOs of The New York Times and Time Inc., some higher-ups at Google and Microsoft, and even a number of employees from NASA, FAA, FCC, and the US military. For its part, AT&T tells AllThingsD that it was informed of the issue on Monday, that only the addresses and associated ICC-IDs were revealed, and that by Tuesday the "feature" that allowed addresses to be seen had been turned off. And as Security Watch's Larry Seltzer cautions in a statement to PC Mag, the impact of this breach -- just email addresses -- is probably somewhat exaggerated. Still, regardless of the magnitude, this can't be making AT&T's day at all bright, and you best believe a number of folks in Cupertino have fire in their eyes over this bad press. [Thanks to everyone who sent this in]
