Amazon has whacked our affiliate account. Hosting Donations/Commitments $2063 of $1920 (Sept 13/18). In Hand $1466 (Lump sum payments minus paypal graft). Paypal Donation Link Here

The Data Breach Thread

Everything else!

Moderators: Bakhtosh, EvilHomer3k

Post Reply
User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

The Data Breach Thread

Post by Isgrimnur » Wed May 21, 2014 11:09 am

Your one stop shop for all the reported data breaches and associated fallout.

First up for the new thread: EBay
Online marketplace eBay says it will urge users to change their passwords following a "cyberattack" impacting a database with encrypted passwords and non-financial data.

The database includes information such as customers' names, encrypted passwords, email and physical addresses, phone numbers and dates of birth.

In a statement released Wednesday, eBay says it has not found evidence of unauthorized activity or access to financial information, based on "extensive" tests. The company says financial data was not affected, pointing out credit card information is encrypted and stored separately from this database.
...
The compromise, which happened between late February and early March, resulted from a cyberattack targeting a small group of employee log-in credentials.

The company says emails will go out to users today to request changes to their passwords.
Silver - soon...

User avatar
GreenGoo
Posts: 40570
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: The Data Breach Thread

Post by GreenGoo » Wed May 21, 2014 11:19 am

Any comments on the US naming and shaming Chinese military members accused of industrial espionage against many US companies? Did I miss the thread? Is it inherently political?

User avatar
LawBeefaroni
Forum Moderator
Posts: 46164
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, where we only use the old smilies

Re: The Data Breach Thread

Post by LawBeefaroni » Wed May 21, 2014 11:26 am

Isgrimnur wrote:

The database includes information such as customers' names, encrypted passwords, email and physical addresses, phone numbers and dates of birth.
Changing passwords won't help customers if email, DOB, phone, and address were compromised. Especially passwords that were compromised months ago.



I'm starting to have the feeling that a bunch of this data is being gathered and stored to unleash total chaos at once. Rather than penny-ante ID theft here and there, they'll sieze up entire websites or markets with a flood of stolen IDs.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT

User avatar
LordMortis
Posts: 60718
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis » Wed May 21, 2014 11:30 am

LawBeefaroni wrote:I'm starting to have the feeling that a bunch of this data is being gathered and stored to unleash total chaos at once.
his name was robert paulson

User avatar
Lorini
Posts: 6616
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California
lorini.a’s avatar
Loading…

Re: The Data Breach Thread

Post by Lorini » Wed May 21, 2014 12:00 pm

There's no reason for them to take birthdates. A month/date would have sufficed and been a lot safer. I hate that these places ask for actual dates.
Steer into the drift.

User avatar
killbot737
Posts: 5660
Joined: Wed Mar 02, 2005 11:19 pm
Location: Next to America Jr.
Festivuus’s avatar
Offline

Re: The Data Breach Thread

Post by killbot737 » Wed May 21, 2014 12:03 pm

I don't remember whether I have an Ebay account or not. :think: I'll have to check my email archives. If I ever did I'm sure I stopped using it when they made paying by anything other than Paypal basically impossible.
There is no hug button. Sad!

User avatar
LordMortis
Posts: 60718
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis » Wed May 21, 2014 12:15 pm

killbot737 wrote:I don't remember whether I have an Ebay account or not. :think: I'll have to check my email archives. If I ever did I'm sure I stopped using it when they made paying by anything other than Paypal basically impossible.
I had one over ten years ago. The email associated with it is from an ISP that is long long gone. I have no idea if the account is active. The last thing I did no EBay was buy a box of these:

http://thumbs2.ebaystatic.com/d/l225/m/ ... FPHQFg.jpg


Wiki tells me that was in 2000.

User avatar
killbot737
Posts: 5660
Joined: Wed Mar 02, 2005 11:19 pm
Location: Next to America Jr.
Festivuus’s avatar
Offline

Re: The Data Breach Thread

Post by killbot737 » Wed May 21, 2014 12:48 pm

Well I didn't find anything on my local archive. The only other email I would have used for that would have been an ancient yahoo account that keeps getting deactivated because I never use it.

So I guess they might get a 15 year old credit card number for a card I don't have anymore at an address I haven't lived at this century, in another state. And possibly my "untrusted" birthday. I never give out my real birthday online.
There is no hug button. Sad!

User avatar
EvilHomer3k
Forum Moderator
Posts: 7367
Joined: Tue Oct 12, 2004 10:45 pm
Location: Cedar Rapids, IA

Re: The Data Breach Thread

Post by EvilHomer3k » Wed May 21, 2014 4:49 pm

Ebay: Change your password we were hacked.
Homer: Okay. Ebay.com, login, change password.
Ebay: Page Not Available. Please try again later.
Homer: :grund:
That sound of the spoon scraping over the can ribbing as you corral the last ravioli or two is the signal that a great treat is coming. It's the washboard solo in God's own
bluegrass band of comfort food. - LawBeefaroni

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Wed Jun 11, 2014 1:16 pm

P.F. Chang's with a side of Feedly and Evernote DDoS.
Feedly, a news aggregation app, is under attack.

The company reported Wednesday that it's facing a distributed denial of service (DDoS) attack launched by "criminals," who the company claims are "trying to extort...money to make it stop."

Meanwhile, Asian restaurant chain P.F. Chang's told Bloomberg in an e-mailed statement Tuesday that it is investigating whether credit and debit card information has been stolen from its restaurants. That news came after security researcher Brian Krebs reported that card numbers had popped up for sale on Internet black market sites. Krebs said the cards in question were used by P.F. Chang's customers between March and May 19.

Both stories come just after mobile and Web startup Evernote said Tuesday that it, too, was up against a DDoS attack, but that its service was quickly restored.
Silver - soon...

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Sat Jun 14, 2014 12:53 am

AT&T
Attackers have compromised the personal information of an undisclosed number of AT&T Mobility wireless customers, the Dallas-based telecommunications giant has confirmed.

AT&T confirmed the data breach today, saying outside attackers — allegedly employees of one of AT&T's service providers — stole personal information on AT&T Mobility customers. The company would not disclose the number of affected users.
...
The breach was discovered May 19, and AT&T believes the data was accessed in an attempt to unlock phones for secondary market resale, the publication CSO reported.

AT&T Mobility filed a breach notification in California this week, CSO reported. From April 9 until April 21, one of AT&T’s third-party providers violated the company's security and privacy guidelines and was accessing customer data.

AT&T says in the notification that the stolen information includes Social Security numbers and call records.
Silver - soon...

malchior
Posts: 8662
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior » Sat Jun 14, 2014 6:01 am

The PF Chang one is interesting as they have not figured out where it has happened yet and fell back to manual imprints in the meantime.

User avatar
Lorini
Posts: 6616
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California
lorini.a’s avatar
Loading…

Re: The Data Breach Thread

Post by Lorini » Sat Jun 14, 2014 9:27 am

Social Security numbers?! That should cause a definite fine. Again why are they storing SS numbers??
Steer into the drift.

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Sat Jun 14, 2014 11:30 am

Credit checks to see if you're required to put down a 1-year deposit as a bad risk. Last 4 of SSN used to be default phone verification procedures, maybe still is. Before I left, they'd masked the first 5 for phone reps, but the managers still had the full access.
Silver - soon...

User avatar
Lorini
Posts: 6616
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California
lorini.a’s avatar
Loading…

Re: The Data Breach Thread

Post by Lorini » Sat Jun 14, 2014 11:37 am

I get the credit checks. After that, why do they need to keep them?
Steer into the drift.

User avatar
Jag
Posts: 14063
Joined: Wed Oct 13, 2004 3:24 pm
Location: SoFla
Jag’s avatar
Pathfinder: Kingmaker

Re: The Data Breach Thread

Post by Jag » Sat Jun 14, 2014 12:27 pm

My wife just got a bill from Sprint in the mail for a $700 ipad with data. Turns out someone used her name, address, Driver's License info and SS# to activate a Sprint account in central Florida (but with a local cell phone number). Last time she gave out this info was to a search firm for contract work. The account was set up a few days later.

Filled out a police report and printed out her credit reports. Luckily Sprint is the only one to ping her account recently that she didn't authorize. We did pay for one month's worth of fraud notifications, probably not worth it, but she is pretty freaked out.

User avatar
LawBeefaroni
Forum Moderator
Posts: 46164
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, where we only use the old smilies

Re: The Data Breach Thread

Post by LawBeefaroni » Sat Jun 14, 2014 3:10 pm

Jag wrote:Filled out a police report and printed out her credit reports. Luckily Sprint is the only one to ping her account recently that she didn't authorize. We did pay for one month's worth of fraud notifications, probably not worth it, but she is pretty freaked out.
The one "good" thing about these widespread breaches is that you can pretty much count on getting hit which means you can count on free credit monitoring and fraud alerts year round. I just finished a year courtesy of Visa and just started one courtesy of Target.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT

User avatar
Jag
Posts: 14063
Joined: Wed Oct 13, 2004 3:24 pm
Location: SoFla
Jag’s avatar
Pathfinder: Kingmaker

Re: The Data Breach Thread

Post by Jag » Sat Jun 14, 2014 4:34 pm

Didn't think about using those breaches. It gets pricey at $20/month.

User avatar
soulbringer
Posts: 563
Joined: Sun Nov 28, 2004 5:12 pm
Location: Southern Carolina

Re: The Data Breach Thread

Post by soulbringer » Sat Jun 14, 2014 4:40 pm

Hell I dont even worry anymore. After all my shit was stolen from the SC dept of Revenue with all my tax information. We just put a freeze on everything. Sure its a minor setback to call and lift the freeze for a day if I need a credit check for something but 15 minutes later its done.

User avatar
Moliere
Posts: 12007
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere » Wed Aug 06, 2014 11:18 am

Russian Hackers Amass Over a Billion Internet Passwords
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Wed Aug 06, 2014 11:21 am

Details of which sites have not been forthcoming, so changing your passwords at this moment might buy you absolutely no increase in security, as the breaches may still be ongoing.
Silver - soon...

User avatar
Anonymous Bosch
Posts: 7398
Joined: Thu Oct 14, 2004 6:09 pm
Location: Northern California [originally from the UK]

Re: The Data Breach Thread

Post by Anonymous Bosch » Wed Aug 06, 2014 12:09 pm

Serves as a useful reminder as to the importance of using a secure password manager (such as KeePass) and different, cryptographically strong passwords for each and every account.

Personally, I go the extra step of using disposable email addresses for all of my internet accounts, primarily as a defense against spam. But it can also help keep my real address safe in the event of such a security breach (well, assuming the disposable email service wasn't also one of the victims).
"Good intentions will always be pleaded for every assumption of authority. It is hardly too strong to say that the Constitution was made to guard the people against the dangers of good intentions. There are men in all ages who mean to govern well, but they mean to govern. They promise to be good masters, but they mean to be masters." -- Daniel Webster

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Mon Aug 18, 2014 12:30 pm

Password protection doesn't help when they just hack the source.

Community Health Systems - 4.5 million patients
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

Anyone who received treatment from a network-owned hospital in the last five years -- or was merely referred there by an outside doctor -- is affected.
...
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
...
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.

But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards.

Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
...
Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients "as required by federal and state law," which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
...
The hospital network said that just before Monday's announcement, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins.

The company plans to offer identity theft protection to the 4.5 million victims of the data breach.
Their main site is down, so the map from the article is the best you can get at the moment.

Image
Silver - soon...

User avatar
xwraith
Posts: 869
Joined: Mon Mar 21, 2005 6:42 pm

Re: The Data Breach Thread

Post by xwraith » Mon Aug 18, 2014 1:17 pm

I'm wondering what they got to. From the the article it doesn't seem like they breached the EHR's database, just a demographic db of some sort. Seeing as it was talking about referrals it sounds like they found some sort of referral/encounter database.

Update: It looks like HHS hasn't posted it to their breach list yet either, not that it tells you much anyway.
I forgot to call it "a box of pure malevolent evil, a purveyor of
insidious insanity, an eldritch manifestation that would make Bill
Gates let out a low whistle of admiration," but it's all those, too.
-- David Gerard, Re: [Mediawiki-l] Wikitext grammar, 2010.08.06

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Mon Aug 18, 2014 1:29 pm

Would referrals include social security information?
Silver - soon...

User avatar
xwraith
Posts: 869
Joined: Mon Mar 21, 2005 6:42 pm

Re: The Data Breach Thread

Post by xwraith » Tue Aug 19, 2014 12:34 pm

Isgrimnur wrote:Would referrals include social security information?
Quite possibly as they may use it as a way to help determine who's who between people with the same first/last/dob.
I forgot to call it "a box of pure malevolent evil, a purveyor of
insidious insanity, an eldritch manifestation that would make Bill
Gates let out a low whistle of admiration," but it's all those, too.
-- David Gerard, Re: [Mediawiki-l] Wikitext grammar, 2010.08.06

User avatar
xwraith
Posts: 869
Joined: Mon Mar 21, 2005 6:42 pm

Re: The Data Breach Thread

Post by xwraith » Wed Aug 20, 2014 6:56 pm

It looks like some of the details are getting out, and that the heartbleed vulnerability was at the root of it.

I'm still wondering what the database was that they got into.
I forgot to call it "a box of pure malevolent evil, a purveyor of
insidious insanity, an eldritch manifestation that would make Bill
Gates let out a low whistle of admiration," but it's all those, too.
-- David Gerard, Re: [Mediawiki-l] Wikitext grammar, 2010.08.06

User avatar
Smoove_B
Posts: 39560
Joined: Wed Oct 13, 2004 12:58 am
Location: Kaer Morhen

Re: The Data Breach Thread

Post by Smoove_B » Fri Aug 22, 2014 4:36 pm

...and we're off:
More than 1,000 American businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and most recently UPS Stores.

The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.

User avatar
Kraken
Posts: 33962
Joined: Tue Oct 12, 2004 11:59 pm
Location: The Hub of the Universe
Contact:
Kraken’s avatar
Offline

Re: The Data Breach Thread

Post by Kraken » Fri Aug 22, 2014 6:27 pm

Dammit, the UPS Store has my Amex info. Have to keep an eye on that now. My business Mastercard gets stolen about once a year but my Amex has been sacrosanct up to now.

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Tue Sep 02, 2014 3:44 pm

Home Depot
Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
...
It is not clear at this time how many stores may be impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.
...
Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.
Silver - soon...

User avatar
Brian
Posts: 11180
Joined: Sat Oct 16, 2004 8:51 am
Location: South of Heaven
[OO] Brian’s avatar
Loading…

Re: The Data Breach Thread

Post by Brian » Tue Sep 02, 2014 4:34 pm

Goddamnit. I just got new cards issued less than two weeks ago.

Guess where I went shopping yesterday? Yup, Home Depot.

And I have to go back there today I discovered that they double charged me for the garage door opener I bough.
"Don't believe everything you read on the internet." - Abraham Lincoln

User avatar
coopasonic
Posts: 15913
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish

Re: The Data Breach Thread

Post by coopasonic » Tue Sep 02, 2014 4:49 pm

Chips and PINs are coming. Hopefully that makes credit card number thievery less of a thing... then again if they continue to hack POS devices it would be a problem.
-Coop

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Tue Sep 02, 2014 5:09 pm

Chip cards are supposedly only exposed when they're used at a non-chip-reading terminal, where they fall back to card swipe. Of course, there's no way to verify the chip for an online purchase. And I doubt selling home scanners for secure online processing will be very viable.
Silver - soon...

User avatar
Archinerd
Posts: 5825
Joined: Fri Aug 25, 2006 11:18 am
Location: Shikaakwa

Re: The Data Breach Thread

Post by Archinerd » Tue Sep 02, 2014 5:15 pm

My bank is already issuing me a new card based on a breach at a "retail store". They wouldn't tell me which store... but this sound like it could be it.

User avatar
Isgrimnur
Posts: 60628
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Snooze

Re: The Data Breach Thread

Post by Isgrimnur » Tue Sep 02, 2014 5:18 pm

Could have been Dairy Queen, too.
Silver - soon...

User avatar
Kraken
Posts: 33962
Joined: Tue Oct 12, 2004 11:59 pm
Location: The Hub of the Universe
Contact:
Kraken’s avatar
Offline

Re: The Data Breach Thread

Post by Kraken » Tue Sep 02, 2014 5:25 pm

I've used my mastercard at HD several times since I bought garden supplies there in the spring, so I reckon I'm a likely victim. Chase recently sent me a Visa with a new number and a microchip, so maybe the account change will keep the thieves at bay.

User avatar
coopasonic
Posts: 15913
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish

Re: The Data Breach Thread

Post by coopasonic » Tue Sep 02, 2014 5:27 pm

Isgrimnur wrote:Chip cards are supposedly only exposed when they're used at a non-chip-reading terminal, where they fall back to card swipe. Of course, there's no way to verify the chip for an online purchase. And I doubt selling home scanners for secure online processing will be very viable.
RSA-like token/app could be a solution for online or some other kind of one time use code. Why is my World of Warcraft account more secure than my credit card?
-Coop

malchior
Posts: 8662
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior » Tue Sep 02, 2014 5:31 pm

Chip and Pin has potential a drawback for the consumer - it could lead to a shift of liability for losses back to them. The banks and merchants first fall back will always be that the consumer was irresponsible with their pin (i.e. what happens if you lose your debit card and someone has your pin). There is debate whether that position will survive scrutiny especially in a mass loss event but it isn't all roses on the other side.

User avatar
coopasonic
Posts: 15913
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish

Re: The Data Breach Thread

Post by coopasonic » Tue Sep 02, 2014 5:34 pm

There will be a perfect solution, but forced PIN change beats new cards... unless I have to give the PIN to all my recurring charges... yeah, no perfect solution.
-Coop

User avatar
noxiousdog
Posts: 23194
Joined: Tue Oct 12, 2004 11:27 pm
Contact:

Re: The Data Breach Thread

Post by noxiousdog » Tue Sep 02, 2014 5:47 pm

malchior wrote:Chip and Pin has potential a drawback for the consumer - it could lead to a shift of liability for losses back to them. The banks and merchants first fall back will always be that the consumer was irresponsible with their pin (i.e. what happens if you lose your debit card and someone has your pin). There is debate whether that position will survive scrutiny especially in a mass loss event but it isn't all roses on the other side.
They can't hold you liable for irresponsibility. They could force you prove it wasn't you doing the transaction.
My continuing adventures of learning to play piano. - Now Playing Moonlight Sonata

Amazon Kindle Book Loaning Thread

"To wield Grond, the mighty hammer of the Federal Government, is to be intoxicated with power beyond what you and I can reckon (though I figure we can ball park it pretty good with computers and maths). Need to tunnel through a mountain? Grond. Kill a mighty ogre? Grond. Hangnail? Grond. Spider? Grond (actually, that's a legit use, moreso than the rest)." - Peacedog

Post Reply