Fundraising for 2019/2020: 12 Months Renewed - We are good until October 2020. Paypal Donation Link Here

The Data Breach Thread

Everything else!

Moderators: Bakhtosh, EvilHomer3k

User avatar
Carpet_pissr
Posts: 14019
Joined: Thu Nov 04, 2004 5:32 pm
Location: Columbia, SC

Re: The Data Breach Thread

Post by Carpet_pissr » Fri Nov 30, 2018 5:39 pm

500 million is....a lot. Jesus.

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Fri Nov 30, 2018 5:43 pm

Carpet_pissr wrote:
Fri Nov 30, 2018 5:39 pm
500 million is....a lot. Jesus.
Hey, it's only 125 million per year. /s

User avatar
Lorini
Posts: 6843
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California
lorini.a’s avatar
Offline

Re: The Data Breach Thread

Post by Lorini » Mon Dec 10, 2018 7:26 pm

This is why we need companies to be responsible for security breaches
n all, the House report didn’t hold back its critique — slamming the credit rating agency’s poor security practices, especially given the data involved — which the report noted that consumers do not “have the ability to opt out of this information collection process.”
Equifax’s response to the House’s report? Go on the defensive.

“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” said Equifax spokesperson Wyatt Jefferies. “During the few hours we were given to conduct a preliminary review we identified significant inaccuracies and disagree with many of the factual findings,” the statement continued.
Complete bullshit in my opinion. It was fairly obvious that they didn't care about what happened to the data they were taking from consumers.
...and were able to pivot through the company’s various systems by obtaining an unencrypted file of passwords on one server, letting the hackers access more than 48 databases containing unencrypted consumer credit data.
There should be regulations passed so that companies understand that when they can't be bothered to secure important personal information they will have to pay fines at the least. Geezus.
Steer into the drift.

User avatar
GreenGoo
Posts: 40570
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: The Data Breach Thread

Post by GreenGoo » Mon Dec 10, 2018 7:35 pm

This is the same company that provided me with someone else's credit report (albeit a sparse one) when I paid them for my wife's. That was never resolved to our satisfaction. They still have my money and we still don't have my wife's credit report.

At this point it's worth the money just to not have to deal with them any longer.

User avatar
Carpet_pissr
Posts: 14019
Joined: Thu Nov 04, 2004 5:32 pm
Location: Columbia, SC

Re: The Data Breach Thread

Post by Carpet_pissr » Fri Dec 21, 2018 9:41 am

Bruegger’s


If you visited any of our company-owned Bruegger’s locations (see Appendix A for a list) between August 28, 2018 and December 3, 2018, there is a possibility that your name and credit card information, including card number, expiration date and card security code may have been accessed as a result of this unauthorized activity. Payments made through your Bruegger’s Bagel Inner Circle account or any one of your customer loyalty accounts were not affected. Any catering orders placed online with Bruegger’s Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah’s NY Bagels were also not affected by this breach.

User avatar
Lorini
Posts: 6843
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California
lorini.a’s avatar
Offline

Re: The Data Breach Thread

Post by Lorini » Thu Jan 17, 2019 10:44 am

Steer into the drift.

User avatar
Paingod
Posts: 10630
Joined: Wed Aug 25, 2010 8:58 am

Re: The Data Breach Thread

Post by Paingod » Thu Jan 17, 2019 10:53 am

To be fair, it's a compilation of 773 million emails and 21 million passwords from multiple breaches.
More than ever, now is the time to stand by the causes you believe in; donate and support to keep America great.
Reproductive Rights, Environmental Defense, Civil Liberties, LGBTQ Awareness, Immigration Rights
Currently playing: Elite: Dangerous, Darkest Dungeon

User avatar
Carpet_pissr
Posts: 14019
Joined: Thu Nov 04, 2004 5:32 pm
Location: Columbia, SC

Re: The Data Breach Thread

Post by Carpet_pissr » Thu Jan 17, 2019 11:45 am

Got another "Have I Been Pwned" alert today:

Breach: Collection #1
Date of breach: 7 Jan 2019
Number of accounts: 772,904,991
Compromised data: Email addresses, Passwords
Description: In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

Thankfully this only affected what is now my "burner" account. It used to be my primary non-work email, and I still use it, but only for sites that I register for which I may only use once or infrequently, or that I suspect would send spam.

User avatar
Moliere
Posts: 12007
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere » Thu Jan 17, 2019 8:46 pm

Paingod wrote:
Thu Jan 17, 2019 10:53 am
To be fair, it's a compilation of 773 million emails and 21 million passwords from multiple breaches.
Meh, anything less than 1 billion is not newsworthy.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow

User avatar
Rumpy
Posts: 8779
Joined: Sun Mar 27, 2005 6:52 pm
Location: Sudbury, Ontario, Canada

Re: The Data Breach Thread

Post by Rumpy » Fri Jan 18, 2019 1:26 am

Two of my addresses are in that batch, one of them my old hotmail address and my first gmail that I tend to use much less now. It does seem to be a compilation of some older stuff, but it doesn't make it any less annoying.
PC:
Intel i5 660
8GB RAM
Asus ROG 4GB 1050Ti

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Tue Jan 22, 2019 11:56 am

Krebs
As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,”

User avatar
Paingod
Posts: 10630
Joined: Wed Aug 25, 2010 8:58 am

Re: The Data Breach Thread

Post by Paingod » Tue Jan 22, 2019 1:08 pm

In short, change all your passwords again.

:doh:
More than ever, now is the time to stand by the causes you believe in; donate and support to keep America great.
Reproductive Rights, Environmental Defense, Civil Liberties, LGBTQ Awareness, Immigration Rights
Currently playing: Elite: Dangerous, Darkest Dungeon

User avatar
Blackhawk
Posts: 27253
Joined: Tue Oct 12, 2004 9:48 pm
Location: Southwest Indiana
Contact:
Blackhawk’s avatar
Snooze

Re: The Data Breach Thread

Post by Blackhawk » Tue Jan 22, 2019 3:51 pm

I have probably 600. That isn't changeable.
[This space left intentionally blank.]

User avatar
Moliere
Posts: 12007
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere » Tue Jan 22, 2019 7:51 pm

Can you recognize a phishing attack? Take the Google test.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow

User avatar
coopasonic
Posts: 16241
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish
coopasonic’s avatar
Offline

Re: The Data Breach Thread

Post by coopasonic » Wed Jan 23, 2019 1:06 pm

Paingod wrote:
Tue Jan 22, 2019 1:08 pm
In short, change all your passwords again.

:doh:
Nah, only the ones that matter. Bank, sure. OO, pffft.
-Coop

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Wed Feb 27, 2019 5:11 pm

You know what's awesome for security? Trying to hamstring a new, more secure protocol because you like the holes that the old one had.

EFF
The good news: TLS 1.3 is available, and the protocol, which powers HTTPS and many other encrypted communications, is better and more secure than its predecessors (including SSL).

The bad news: Thanks to a financial industry group called BITS, there’s a look-alike protocol brewing called called ETS (or eTLS) that intentionally disables important security measures in TLS 1.3. If someone suggests that you should deploy ETS instead of TLS 1.3, they are selling you snake oil and you should run in the other direction as fast as you can.

ETS removes forward secrecy, a feature that is so widely used and valued in TLS 1.2 that TLS 1.3 made it mandatory. This invisibly undermines security and has the potential to seriously worsen data breaches. As the ETS / eTLS spec says: "eTLS does not provide per-session forward secrecy. Knowledge of a given static Diffie-Hellman private key can be used to decrypt all sessions encrypted with that key."
...
Late in the TLS 1.3 process, BITS came forward on behalf of these companies and said their members “depend upon the ability to decrypt TLS traffic to implement data loss protection, intrusion detection and prevention, malware detection, packet capture and analysis, and DDoS mitigation.” In other words, BITS members send a copy of all encrypted traffic somewhere else for monitoring. The monitoring devices have a copy of all private keys, and so can decrypt all that traffic. They’d like TLS 1.3 to offer algorithms that disable forward secrecy so they can keep doing this decryption.
...
In response to these objections, some IETF participants produced a modest proposal: By tweaking some parameters, they could make a TLS 1.3 server look like it was providing forward secrecy, but actually not provide it. This proposal, mentioned earlier and called “Static Diffie-Hellman,” would misuse a number in the handshake that is supposed to be random and discarded after each handshake. Instead of randomly generating that number (the Diffie-Hellman private key), a server using this technique would use the same number for all connections, and make sure to share a copy of it with the devices doing decryption. This would only require changes to servers, not clients, and would look just like the secure version of TLS 1.3.

After much discussion, IETF decided not to standardize this modest proposal. Its risks were too great. So BITS took it to another standards organization, ETSI, which was more willing to play ball. ETSI has been working on its weakened variant since 2017, and in October 2018 released a document calling their proposal eTLS. They even submitted public comment asking NIST to delay publication of new guidelines on using TLS 1.3 and recommend eTLS instead.

User avatar
Pyperkub
Posts: 19293
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California
Contact:

Re: The Data Breach Thread

Post by Pyperkub » Wed Feb 27, 2019 5:19 pm

The Equifax House hearing yesterday was fascinating:
“If you agree that exposing this kind of information — information like that that you have in your credit reports — creates harm, therefore you’re unwilling to share it, why are your lawyers arguing in federal court that there was no injury and no harm created by your data breach?”

Begor responded that it’s “hard for me to comment on what our lawyers are doing,” but the congresswoman told him: “You do employ those lawyers.”
AOC too:
.@AOC: Do consumers ever explicitly consent to giving their data to you? Equifax CEO: There is not consent by the consumer to give us the data. AOC: So consumers own their data, but credit bureau’s collect their information without their consent? Equifax CEO: That’s correct.
There are three ways to not tell the truth: lies, damned lies, and statistics.

User avatar
Moliere
Posts: 12007
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere » Wed Mar 06, 2019 8:27 pm



Update Chrome, right now. Stop reading this. Start updating. Right now.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Mon Mar 11, 2019 4:02 pm

ZDNet
Freelance developers need to be explicitly told to write code that stores passwords in a safe and secure manner, a recent study has revealed.

In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.
...
Of the 43, academics paid half of the group with €100, and the other half with €200, to determine if higher pay made a difference in the implementation of password security features.

Further, they divided the developer group a second time, prompting half of the developers to store passwords in a secure manner, and leaving the other half to store passwords in their preferred method --hence forming four quarters of developers
...
Researchers said developers took three days to submit their work, and that they had to ask 18 of the 43 to resubmit their code to include a password security system when they first sent a project that stored passwords in plaintext.

Of the 18 who had to resubmit their code, 15 developers were part of the group that were never told the user registration system needed to store password securely, showing that developers don't inherently think about security when writing code.

The other three were from the half that was told to use a secure method to store passwords, but who stored passwords in plaintext anyway.

The results show that the level of understanding of what "secure passwords" mean differs greatly in the web development community.

Of the secure password storage systems developers chose to implement for this study, only the last two, PBKDF2 and Bcrypt, are considered secure.

8 - Base64
10 - MD5
1 - SHA-1
3 - 3DES
3 - AES
5 - SHA-256
1 - HMAC/SHA1
5 - PBKDF2
7 - Bcrypt

The first, Base64, isn't even an encryption algorithm, but an encoding function, something that the participating developers didn't seem to know. Similarly for MD5, which is a hashing function.
...
Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor.

The study also found that 17 of the 43 developers copied their code from internet sites, suggesting that the freelancers didn't have the necessary skills to develop a secure system from scratch, and chose to use code that might be outdated or even riddled with bugs.

Paying developers higher rates didn't help considerably, researchers said.

User avatar
Pyperkub
Posts: 19293
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California
Contact:

Re: The Data Breach Thread

Post by Pyperkub » Mon Mar 11, 2019 5:02 pm

Citrix:
The notice published Friday morning sent shockwaves through security circles because Citrix’s products and services are used by more than 400,000 organizations around the world, including 98 percent of the Fortune 500. Citrix is also widely used by governments and militaries. An intrusion by overseas hackers carries the risk of exposing technical information that could compromise the networks of customers.

Citrix said it still doesn’t know what specific data was stolen, but an initial investigation appears to show the attackers may have obtained business documents. For now, company officials said, there’s no indication that the security of any Citrix product or service was compromised. The company has commenced a forensic investigation and engaged a security firm to assist. Citrix has also taken unspecified actions to better secure it internal network.

Citrix said it was contacted by the FBI on Wednesday and that the bureau said it had reason to believe the Citrix network was breached.

“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords,” Friday’s statement read. “Once they gained a foothold with limited access, they worked to circumvent additional layers of security.”
There are three ways to not tell the truth: lies, damned lies, and statistics.

User avatar
Pyperkub
Posts: 19293
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California
Contact:

Re: The Data Breach Thread

Post by Pyperkub » Mon Mar 11, 2019 5:13 pm

Isgrimnur wrote:
Mon Mar 11, 2019 4:02 pm
ZDNet
Freelance developers need to be explicitly told to write code that stores passwords in a safe and secure manner, a recent study has revealed.

In an experiment that involved 43 programmers hired via the Freelancer.com platform, University of Bonn academics have discovered that developers tend to take the easy way out and write code that stores user passwords in an unsafe manner.
...
Of the 43, academics paid half of the group with €100, and the other half with €200, to determine if higher pay made a difference in the implementation of password security features.

Further, they divided the developer group a second time, prompting half of the developers to store passwords in a secure manner, and leaving the other half to store passwords in their preferred method --hence forming four quarters of developers
...
Researchers said developers took three days to submit their work, and that they had to ask 18 of the 43 to resubmit their code to include a password security system when they first sent a project that stored passwords in plaintext.

Of the 18 who had to resubmit their code, 15 developers were part of the group that were never told the user registration system needed to store password securely, showing that developers don't inherently think about security when writing code.

The other three were from the half that was told to use a secure method to store passwords, but who stored passwords in plaintext anyway.

The results show that the level of understanding of what "secure passwords" mean differs greatly in the web development community.

Of the secure password storage systems developers chose to implement for this study, only the last two, PBKDF2 and Bcrypt, are considered secure.

8 - Base64
10 - MD5
1 - SHA-1
3 - 3DES
3 - AES
5 - SHA-256
1 - HMAC/SHA1
5 - PBKDF2
7 - Bcrypt

The first, Base64, isn't even an encryption algorithm, but an encoding function, something that the participating developers didn't seem to know. Similarly for MD5, which is a hashing function.
...
Furthermore, only 15 of the 43 developers chose to implement salting, a process through which the encrypted password stored inside an application's database is made harder to crack with the addition of a random data factor.

The study also found that 17 of the 43 developers copied their code from internet sites, suggesting that the freelancers didn't have the necessary skills to develop a secure system from scratch, and chose to use code that might be outdated or even riddled with bugs.

Paying developers higher rates didn't help considerably, researchers said.
Outsourcing your coding could mean you're outsourcing your security...
There are three ways to not tell the truth: lies, damned lies, and statistics.

User avatar
Moliere
Posts: 12007
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere » Thu Mar 21, 2019 7:46 pm

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Fri Mar 22, 2019 8:53 pm

FEMA
The Federal Emergency Management Agency shared personal addresses and banking information of more than 2 million U.S. disaster survivors in what the agency acknowledged Friday was a “major privacy incident.”

The data breach, discovered recently and the subject of a report by the Department of Homeland Security’s Office of Inspector General, occurred when the agency shared sensitive, personally identifiable information of disaster survivors who used FEMA’S Transitional Sheltering Assistance program, according to officials at FEMA. Those affected included the victims of California wildfires in 2017 and Hurricanes Harvey, Irma and Maria, the report said.

In a statement, Lizzie Litzow, FEMA’s press secretary, said the breach happened because “FEMA provided more information than was necessary” while transferring disaster survivor information to a contractor.
...
He said 1.8 million people had both their banking information and addresses revealed, and about 725,000 people had just their addresses shared.

It is unclear if the data breach had led to identity theft or other malicious actions, he said.
...
The Inspector General report told FEMA it needed to install controls to make sure such data would not continue to be shared with contractors and that the agency needed to assess how wide the breach was and to make sure that data in the contractor’s system was destroyed.

User avatar
Pyperkub
Posts: 19293
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California
Contact:

Re: The Data Breach Thread

Post by Pyperkub » Mon Mar 25, 2019 4:50 pm

ASUS Software Updates:
Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says.

ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.

The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines.
Ack! Gotta check my home machine, though I don't think the ASUS Live Update software has ever worked on it (over 3 years).
There are three ways to not tell the truth: lies, damned lies, and statistics.

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Fri May 17, 2019 12:02 pm

zdnet
Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last week with the discovery of a cheap "chosen-prefix collision attack," a more practical version of the SHA-1 collision attack first carried out by Google two years ago.

What this means is that SHA-1 collision attacks can now be carried out with custom inputs, and they're not just accidental mishaps anymore, allowing attackers to target certain files to duplicate and forge.
...
Two years ago, academics from Google and CWI produced two files that had the same SHA-1 hash, in the world's first ever SHA-1 collision attack -- known as "SHAttered."

Cryptographers predicted SHA-1 would be broken in a real-world scenario, but the SHAttered research came three years earlier than they expected, and also cost only $110,000 to execute using cloud-rented computing power, far less than what people thought it might cost.
...
What this means is that SHA-1 collision attacks aren't a game of roulette anymore, and now, threat actors can forge any SHA-1-signed documents they want, ranging from business documents to TLS certificates.

But the work of Peyrin and his colleague, Gaetan Leurent, have done goes far beyond just proving SHA-1 chosen-prefix collision attacks are theoretically possible.

They also showed that such attacks are now cheap and in the budget of cybercrime and nation-state attackers.

User avatar
Rumpy
Posts: 8779
Joined: Sun Mar 27, 2005 6:52 pm
Location: Sudbury, Ontario, Canada

Re: The Data Breach Thread

Post by Rumpy » Sun Jun 02, 2019 8:10 pm

Dunno if anyone here uses Flipboard, but there's been a data breach:
https://lifehacker.com/flipboard-users- ... 1835091775

Well, the nice thing is that they reset everyone's passwords as a precaution, which I really wish more services would do. I have an old account but ironically enough I can't get a password reset email sent like tell everyone to do. Does nothing.
PC:
Intel i5 660
8GB RAM
Asus ROG 4GB 1050Ti

Stefan Stirzaker
Posts: 979
Joined: Wed Nov 03, 2004 6:12 pm
Location: Australia

Re: The Data Breach Thread

Post by Stefan Stirzaker » Tue Jun 04, 2019 12:36 am

19 years of student data including bank accounts, tax numbers and passport info stolen after one of oz leadi nng university is hacked.

Small but lits of ident theft potential here.

https://mobile.abc.net.au/news/2019-06- ... fmredir=sm

Including mine :( been a student there 3 years ago

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Wed Jun 05, 2019 2:33 pm

LabCorp and Quest Diagnostics
A security breach at a billing company has resulted in nearly 20 million patients of LabCorp and Quest Diagnostics getting their information stolen from them. The breach was first disclosed Monday by Quest Diagnostics, which reported in a Securities and Exchange Commission filing that a breach at third-party collections vendor American Medical Collection Agency (AMCA) compromised 11.9 million customers. Today, LabCorp indicated that 7.7 million of its patients were also affected by the AMCA breach.
...
According to Quest Diagnostics' SEC filing, AMCA's payment system was compromised on August 1, 2018 and remained vulnerable through March 30. Exposed information includes patient names, dates of birth, addresses, phone numbers, dates of service, providers and balance information. LabCorp disclosed that about 200,000 people also had their credit card or bank account information stolen. Medical data and laboratory test results were not exposed.

User avatar
LordMortis
Posts: 61282
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis » Mon Jun 17, 2019 8:38 am

What would someone gain from hacking my spottily account? I haven't used it in a long time. It is a free account. But I received notice of a lock an and password reset notice due to suspicious activity. (I do fear that when I registered, I registered under a common password and a cross reference of password and email could get in to other old accounts)

User avatar
Pyperkub
Posts: 19293
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California
Contact:

Re: The Data Breach Thread

Post by Pyperkub » Tue Jun 18, 2019 8:18 pm

Isgrimnur wrote:
Wed Jun 05, 2019 2:33 pm
LabCorp and Quest Diagnostics
A security breach at a billing company has resulted in nearly 20 million patients of LabCorp and Quest Diagnostics getting their information stolen from them. The breach was first disclosed Monday by Quest Diagnostics, which reported in a Securities and Exchange Commission filing that a breach at third-party collections vendor American Medical Collection Agency (AMCA) compromised 11.9 million customers. Today, LabCorp indicated that 7.7 million of its patients were also affected by the AMCA breach.
...
According to Quest Diagnostics' SEC filing, AMCA's payment system was compromised on August 1, 2018 and remained vulnerable through March 30. Exposed information includes patient names, dates of birth, addresses, phone numbers, dates of service, providers and balance information. LabCorp disclosed that about 200,000 people also had their credit card or bank account information stolen. Medical data and laboratory test results were not exposed.
AMCA files for Chapter 11:
The healthcare debt collector ransacked by hackers, who gained access to millions of patients' personal information, has filed for bankruptcy protection.

Retrieval Masters Creditors Bureau, aka American Medical Collection Agency, told the Southern New York US District Court this week that it was seeking chapter 11 bankruptcy protection.
There are three ways to not tell the truth: lies, damned lies, and statistics.

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Fri Jul 05, 2019 3:05 pm

Krebs
Earlier this month, Google disclosed that a supply chain attack by one of its vendors resulted in malicious software being pre-installed on millions of new budget Android devices. Google didn’t exactly name those responsible, but said it believes the offending vendor uses the nicknames “Yehuo” or “Blazefire.” What follows is a deep dive into the identity of that Chinese vendor, which appears to have a long and storied history of pushing the envelope on mobile malware.

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Mon Jul 22, 2019 9:23 am

USA Today
Credit-reporting company Equifax will pick up the tab in a deal with the Federal Trade Commission, Consumer Financial Protection Bureau and 50 states and territories to settle allegations that it did not implement sufficient security measures to protect its network.

The deal calls for Equifax to pay at least $575 million, including $300 million for free credit monitoring services, $175 million to states, the District of Columbia and Puerto Rico and $100 million in penalties to the CFPB.

The company could be forced to pay another $125 million if the initial amount is not enough to cover consumers' losses, bringing the total tab to up to $700 million.
...
The FTC also said Equifax had stored network credentials and passwords, Social Security numbers and other consumer data in plain text files, which makes them more susceptible to criminal activity.

User avatar
Zaxxon
Forum Moderator
Posts: 21982
Joined: Wed Oct 13, 2004 12:11 am
Location: Surrounded by Mountains

Re: The Data Breach Thread

Post by Zaxxon » Mon Jul 29, 2019 9:21 pm

What's in your wallet?

Nothing; it was all stolen...

http://press.capitalone.com/phoenix.zht ... ID=2405043

User avatar
Isgrimnur
Posts: 62536
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:
Isgrimnur’s avatar
Online

Re: The Data Breach Thread

Post by Isgrimnur » Mon Jul 29, 2019 9:38 pm

over 99 percent of Social Security numbers were not compromised.
Image

User avatar
LawBeefaroni
Forum Moderator
Posts: 46834
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, where we only use the old smilies

Re: The Data Breach Thread

Post by LawBeefaroni » Mon Jul 29, 2019 9:43 pm

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our credit card customers

About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
So only 1.1M or so. No biggie.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT

User avatar
Kraken
Posts: 34654
Joined: Tue Oct 12, 2004 11:59 pm
Location: The Hub of the Universe
Contact:
Kraken’s avatar
Offline

Re: The Data Breach Thread

Post by Kraken » Mon Jul 29, 2019 10:25 pm

Guess who just got a new Capital One card yesterday.

User avatar
Zaxxon
Forum Moderator
Posts: 21982
Joined: Wed Oct 13, 2004 12:11 am
Location: Surrounded by Mountains

Re: The Data Breach Thread

Post by Zaxxon » Wed Jul 31, 2019 3:12 pm


User avatar
LordMortis
Posts: 61282
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis » Wed Jul 31, 2019 5:51 pm

Zaxxon wrote:
Wed Jul 31, 2019 3:12 pm
When I went through the paperwork, the $125 was because you are already using a credit monitoring service. I am not, so I chose the credit monitoring. It didn't read like an option to take the $125 unless I lied, which I am not apt to do for something directly tied things that are of legal concerns. I then went on to request re-reimbursement for time and money spent on freezing my credit and trials associated with life since then. We'll see if I get a check or not.

User avatar
Zaxxon
Forum Moderator
Posts: 21982
Joined: Wed Oct 13, 2004 12:11 am
Location: Surrounded by Mountains

Re: The Data Breach Thread

Post by Zaxxon » Wed Jul 31, 2019 5:55 pm

I think the point is more that folks are either going to get less money than the cost of a postage stamp, or they'll get a zero-marginal cost service from Equifax promising to protect their personal information (you know, the stuff Equifax has proven incapable of protecting).

If they were going to make monitoring part of the settlement, it really should have included an option to take as cash the 'hundreds of dollars of value per year' that the settlement FAQ states this service is worth, so consumers could then go purchase whatever monitoring service they'd like.

User avatar
LordMortis
Posts: 61282
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis » Wed Jul 31, 2019 6:07 pm

hey'll get a zero-marginal cost service from Equifax promising to protect their personal information (you know, the stuff Equifax has proven incapable of protecting).
That's what I'll be getting because again, that's what the settlement sounded like I had to take. And I concur with your assessment. Why would I have faith in their ability to monitor my credit now, when they were monitoring it before without my approval and their watchful eye was exactly what exposed me to identity theft.

I do believe they should be liable and for much more than the $125 I am not entitled to nor even then $95 claim I made that I have doubts I will receive.

I have no idea what the fine print was on the $125 is, as I couldn't ask for it but class actions always seem to work this way, so


Post Reply