The Data Breach Thread

Everything else!

Moderators: Bakhtosh, EvilHomer3k

Post Reply
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

The Data Breach Thread

Post by Isgrimnur »

Your one stop shop for all the reported data breaches and associated fallout.

First up for the new thread: EBay
Online marketplace eBay says it will urge users to change their passwords following a "cyberattack" impacting a database with encrypted passwords and non-financial data.

The database includes information such as customers' names, encrypted passwords, email and physical addresses, phone numbers and dates of birth.

In a statement released Wednesday, eBay says it has not found evidence of unauthorized activity or access to financial information, based on "extensive" tests. The company says financial data was not affected, pointing out credit card information is encrypted and stored separately from this database.
...
The compromise, which happened between late February and early March, resulted from a cyberattack targeting a small group of employee log-in credentials.

The company says emails will go out to users today to request changes to their passwords.
It's almost as if people are the problem.
User avatar
GreenGoo
Posts: 42239
Joined: Thu Oct 14, 2004 10:46 pm
Location: Ottawa, ON

Re: The Data Breach Thread

Post by GreenGoo »

Any comments on the US naming and shaming Chinese military members accused of industrial espionage against many US companies? Did I miss the thread? Is it inherently political?
User avatar
LawBeefaroni
Forum Moderator
Posts: 55316
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, outrageous taxes on everything

Re: The Data Breach Thread

Post by LawBeefaroni »

Isgrimnur wrote:

The database includes information such as customers' names, encrypted passwords, email and physical addresses, phone numbers and dates of birth.
Changing passwords won't help customers if email, DOB, phone, and address were compromised. Especially passwords that were compromised months ago.



I'm starting to have the feeling that a bunch of this data is being gathered and stored to unleash total chaos at once. Rather than penny-ante ID theft here and there, they'll sieze up entire websites or markets with a flood of stolen IDs.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

LawBeefaroni wrote:I'm starting to have the feeling that a bunch of this data is being gathered and stored to unleash total chaos at once.
his name was robert paulson
User avatar
Lorini
Posts: 8282
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California

Re: The Data Breach Thread

Post by Lorini »

There's no reason for them to take birthdates. A month/date would have sufficed and been a lot safer. I hate that these places ask for actual dates.
Black Lives Matter
User avatar
killbot737
Posts: 5660
Joined: Wed Mar 02, 2005 11:19 pm
Location: Next to America Jr.

Re: The Data Breach Thread

Post by killbot737 »

I don't remember whether I have an Ebay account or not. :think: I'll have to check my email archives. If I ever did I'm sure I stopped using it when they made paying by anything other than Paypal basically impossible.
There is no hug button. Sad!
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

killbot737 wrote:I don't remember whether I have an Ebay account or not. :think: I'll have to check my email archives. If I ever did I'm sure I stopped using it when they made paying by anything other than Paypal basically impossible.
I had one over ten years ago. The email associated with it is from an ISP that is long long gone. I have no idea if the account is active. The last thing I did no EBay was buy a box of these:

http://thumbs2.ebaystatic.com/d/l225/m/ ... FPHQFg.jpg


Wiki tells me that was in 2000.
User avatar
killbot737
Posts: 5660
Joined: Wed Mar 02, 2005 11:19 pm
Location: Next to America Jr.

Re: The Data Breach Thread

Post by killbot737 »

Well I didn't find anything on my local archive. The only other email I would have used for that would have been an ancient yahoo account that keeps getting deactivated because I never use it.

So I guess they might get a 15 year old credit card number for a card I don't have anymore at an address I haven't lived at this century, in another state. And possibly my "untrusted" birthday. I never give out my real birthday online.
There is no hug button. Sad!
User avatar
EvilHomer3k
Forum Moderator
Posts: 7918
Joined: Tue Oct 12, 2004 10:45 pm
Location: Cedar Rapids, IA

Re: The Data Breach Thread

Post by EvilHomer3k »

Ebay: Change your password we were hacked.
Homer: Okay. Ebay.com, login, change password.
Ebay: Page Not Available. Please try again later.
Homer: :grund:
That sound of the spoon scraping over the can ribbing as you corral the last ravioli or two is the signal that a great treat is coming. It's the washboard solo in God's own
bluegrass band of comfort food. - LawBeefaroni
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

P.F. Chang's with a side of Feedly and Evernote DDoS.
Feedly, a news aggregation app, is under attack.

The company reported Wednesday that it's facing a distributed denial of service (DDoS) attack launched by "criminals," who the company claims are "trying to extort...money to make it stop."

Meanwhile, Asian restaurant chain P.F. Chang's told Bloomberg in an e-mailed statement Tuesday that it is investigating whether credit and debit card information has been stolen from its restaurants. That news came after security researcher Brian Krebs reported that card numbers had popped up for sale on Internet black market sites. Krebs said the cards in question were used by P.F. Chang's customers between March and May 19.

Both stories come just after mobile and Web startup Evernote said Tuesday that it, too, was up against a DDoS attack, but that its service was quickly restored.
It's almost as if people are the problem.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

AT&T
Attackers have compromised the personal information of an undisclosed number of AT&T Mobility wireless customers, the Dallas-based telecommunications giant has confirmed.

AT&T confirmed the data breach today, saying outside attackers — allegedly employees of one of AT&T's service providers — stole personal information on AT&T Mobility customers. The company would not disclose the number of affected users.
...
The breach was discovered May 19, and AT&T believes the data was accessed in an attempt to unlock phones for secondary market resale, the publication CSO reported.

AT&T Mobility filed a breach notification in California this week, CSO reported. From April 9 until April 21, one of AT&T’s third-party providers violated the company's security and privacy guidelines and was accessing customer data.

AT&T says in the notification that the stolen information includes Social Security numbers and call records.
It's almost as if people are the problem.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

The PF Chang one is interesting as they have not figured out where it has happened yet and fell back to manual imprints in the meantime.
User avatar
Lorini
Posts: 8282
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California

Re: The Data Breach Thread

Post by Lorini »

Social Security numbers?! That should cause a definite fine. Again why are they storing SS numbers??
Black Lives Matter
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Credit checks to see if you're required to put down a 1-year deposit as a bad risk. Last 4 of SSN used to be default phone verification procedures, maybe still is. Before I left, they'd masked the first 5 for phone reps, but the managers still had the full access.
It's almost as if people are the problem.
User avatar
Lorini
Posts: 8282
Joined: Wed Oct 13, 2004 8:52 am
Location: Santa Clarita, California

Re: The Data Breach Thread

Post by Lorini »

I get the credit checks. After that, why do they need to keep them?
Black Lives Matter
User avatar
Jag
Posts: 14435
Joined: Wed Oct 13, 2004 3:24 pm
Location: SoFla

Re: The Data Breach Thread

Post by Jag »

My wife just got a bill from Sprint in the mail for a $700 ipad with data. Turns out someone used her name, address, Driver's License info and SS# to activate a Sprint account in central Florida (but with a local cell phone number). Last time she gave out this info was to a search firm for contract work. The account was set up a few days later.

Filled out a police report and printed out her credit reports. Luckily Sprint is the only one to ping her account recently that she didn't authorize. We did pay for one month's worth of fraud notifications, probably not worth it, but she is pretty freaked out.
User avatar
LawBeefaroni
Forum Moderator
Posts: 55316
Joined: Fri Oct 15, 2004 3:08 pm
Location: Urbs in Horto, outrageous taxes on everything

Re: The Data Breach Thread

Post by LawBeefaroni »

Jag wrote:Filled out a police report and printed out her credit reports. Luckily Sprint is the only one to ping her account recently that she didn't authorize. We did pay for one month's worth of fraud notifications, probably not worth it, but she is pretty freaked out.
The one "good" thing about these widespread breaches is that you can pretty much count on getting hit which means you can count on free credit monitoring and fraud alerts year round. I just finished a year courtesy of Visa and just started one courtesy of Target.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton

MYT
User avatar
Jag
Posts: 14435
Joined: Wed Oct 13, 2004 3:24 pm
Location: SoFla

Re: The Data Breach Thread

Post by Jag »

Didn't think about using those breaches. It gets pricey at $20/month.
User avatar
soulbringer
Posts: 591
Joined: Sun Nov 28, 2004 5:12 pm
Location: Southern Carolina

Re: The Data Breach Thread

Post by soulbringer »

Hell I dont even worry anymore. After all my shit was stolen from the SC dept of Revenue with all my tax information. We just put a freeze on everything. Sure its a minor setback to call and lift the freeze for a day if I need a credit check for something but 15 minutes later its done.
User avatar
Moliere
Posts: 12295
Joined: Sun Sep 03, 2006 10:57 am
Location: Walking through a desert land

Re: The Data Breach Thread

Post by Moliere »

Russian Hackers Amass Over a Billion Internet Passwords
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.

The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites.
"The world is suffering more today from the good people who want to mind other men's business than it is from the bad people who are willing to let everybody look after their own individual affairs." - Clarence Darrow
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Details of which sites have not been forthcoming, so changing your passwords at this moment might buy you absolutely no increase in security, as the breaches may still be ongoing.
It's almost as if people are the problem.
User avatar
Anonymous Bosch
Posts: 10512
Joined: Thu Oct 14, 2004 6:09 pm
Location: Northern California [originally from the UK]

Re: The Data Breach Thread

Post by Anonymous Bosch »

Serves as a useful reminder as to the importance of using a secure password manager (such as KeePass) and different, cryptographically strong passwords for each and every account.

Personally, I go the extra step of using disposable email addresses for all of my internet accounts, primarily as a defense against spam. But it can also help keep my real address safe in the event of such a security breach (well, assuming the disposable email service wasn't also one of the victims).
"There is only one basic human right, the right to do as you damn well please. And with it comes the only basic human duty, the duty to take the consequences." — P. J. O'Rourke
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Password protection doesn't help when they just hack the source.

Community Health Systems - 4.5 million patients
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.

Anyone who received treatment from a network-owned hospital in the last five years -- or was merely referred there by an outside doctor -- is affected.
...
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
...
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage, targeting valuable information about medical devices.

But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards.

Still, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law. That means patients could sue the hospital network for damages.
...
Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients "as required by federal and state law," which is inconsistent and varies by region. There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
...
The hospital network said that just before Monday's announcement, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins.

The company plans to offer identity theft protection to the 4.5 million victims of the data breach.
Their main site is down, so the map from the article is the best you can get at the moment.

Image
It's almost as if people are the problem.
User avatar
xwraith
Posts: 1085
Joined: Mon Mar 21, 2005 6:42 pm

Re: The Data Breach Thread

Post by xwraith »

I'm wondering what they got to. From the the article it doesn't seem like they breached the EHR's database, just a demographic db of some sort. Seeing as it was talking about referrals it sounds like they found some sort of referral/encounter database.

Update: It looks like HHS hasn't posted it to their breach list yet either, not that it tells you much anyway.
I forgot to call it "a box of pure malevolent evil, a purveyor of
insidious insanity, an eldritch manifestation that would make Bill
Gates let out a low whistle of admiration," but it's all those, too.
-- David Gerard, Re: [Mediawiki-l] Wikitext grammar, 2010.08.06
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Would referrals include social security information?
It's almost as if people are the problem.
User avatar
xwraith
Posts: 1085
Joined: Mon Mar 21, 2005 6:42 pm

Re: The Data Breach Thread

Post by xwraith »

Isgrimnur wrote:Would referrals include social security information?
Quite possibly as they may use it as a way to help determine who's who between people with the same first/last/dob.
I forgot to call it "a box of pure malevolent evil, a purveyor of
insidious insanity, an eldritch manifestation that would make Bill
Gates let out a low whistle of admiration," but it's all those, too.
-- David Gerard, Re: [Mediawiki-l] Wikitext grammar, 2010.08.06
User avatar
xwraith
Posts: 1085
Joined: Mon Mar 21, 2005 6:42 pm

Re: The Data Breach Thread

Post by xwraith »

It looks like some of the details are getting out, and that the heartbleed vulnerability was at the root of it.

I'm still wondering what the database was that they got into.
I forgot to call it "a box of pure malevolent evil, a purveyor of
insidious insanity, an eldritch manifestation that would make Bill
Gates let out a low whistle of admiration," but it's all those, too.
-- David Gerard, Re: [Mediawiki-l] Wikitext grammar, 2010.08.06
User avatar
Smoove_B
Posts: 54567
Joined: Wed Oct 13, 2004 12:58 am
Location: Kaer Morhen

Re: The Data Breach Thread

Post by Smoove_B »

...and we're off:
More than 1,000 American businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and most recently UPS Stores.

The attacks are much more pervasive than previously reported, and hackers are pilfering the data of millions of payment cards from American consumers without companies knowing about it, according to a new Department of Homeland Security advisory released Friday afternoon.
Maybe next year, maybe no go
User avatar
Kraken
Posts: 43688
Joined: Tue Oct 12, 2004 11:59 pm
Location: The Hub of the Universe
Contact:

Re: The Data Breach Thread

Post by Kraken »

Dammit, the UPS Store has my Amex info. Have to keep an eye on that now. My business Mastercard gets stolen about once a year but my Amex has been sacrosanct up to now.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Home Depot
Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
...
It is not clear at this time how many stores may be impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.
...
Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.
It's almost as if people are the problem.
User avatar
Brian
Posts: 12553
Joined: Sat Oct 16, 2004 8:51 am
Location: South of Heaven
Contact:

Re: The Data Breach Thread

Post by Brian »

Goddamnit. I just got new cards issued less than two weeks ago.

Guess where I went shopping yesterday? Yup, Home Depot.

And I have to go back there today I discovered that they double charged me for the garage door opener I bough.
"Don't believe everything you read on the internet." - Abraham Lincoln
User avatar
coopasonic
Posts: 20969
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish

Re: The Data Breach Thread

Post by coopasonic »

Chips and PINs are coming. Hopefully that makes credit card number thievery less of a thing... then again if they continue to hack POS devices it would be a problem.
-Coop
Black Lives Matter
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Chip cards are supposedly only exposed when they're used at a non-chip-reading terminal, where they fall back to card swipe. Of course, there's no way to verify the chip for an online purchase. And I doubt selling home scanners for secure online processing will be very viable.
It's almost as if people are the problem.
User avatar
Archinerd
Posts: 6836
Joined: Fri Aug 25, 2006 11:18 am
Location: Shikaakwa

Re: The Data Breach Thread

Post by Archinerd »

My bank is already issuing me a new card based on a breach at a "retail store". They wouldn't tell me which store... but this sound like it could be it.
User avatar
Isgrimnur
Posts: 82085
Joined: Sun Oct 15, 2006 12:29 am
Location: Chookity pok
Contact:

Re: The Data Breach Thread

Post by Isgrimnur »

Could have been Dairy Queen, too.
It's almost as if people are the problem.
User avatar
Kraken
Posts: 43688
Joined: Tue Oct 12, 2004 11:59 pm
Location: The Hub of the Universe
Contact:

Re: The Data Breach Thread

Post by Kraken »

I've used my mastercard at HD several times since I bought garden supplies there in the spring, so I reckon I'm a likely victim. Chase recently sent me a Visa with a new number and a microchip, so maybe the account change will keep the thieves at bay.
User avatar
coopasonic
Posts: 20969
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish

Re: The Data Breach Thread

Post by coopasonic »

Isgrimnur wrote:Chip cards are supposedly only exposed when they're used at a non-chip-reading terminal, where they fall back to card swipe. Of course, there's no way to verify the chip for an online purchase. And I doubt selling home scanners for secure online processing will be very viable.
RSA-like token/app could be a solution for online or some other kind of one time use code. Why is my World of Warcraft account more secure than my credit card?
-Coop
Black Lives Matter
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

Chip and Pin has potential a drawback for the consumer - it could lead to a shift of liability for losses back to them. The banks and merchants first fall back will always be that the consumer was irresponsible with their pin (i.e. what happens if you lose your debit card and someone has your pin). There is debate whether that position will survive scrutiny especially in a mass loss event but it isn't all roses on the other side.
User avatar
coopasonic
Posts: 20969
Joined: Fri Mar 04, 2005 11:43 pm
Location: Dallas-ish

Re: The Data Breach Thread

Post by coopasonic »

There will be a perfect solution, but forced PIN change beats new cards... unless I have to give the PIN to all my recurring charges... yeah, no perfect solution.
-Coop
Black Lives Matter
User avatar
noxiousdog
Posts: 24627
Joined: Tue Oct 12, 2004 11:27 pm
Contact:

Re: The Data Breach Thread

Post by noxiousdog »

malchior wrote:Chip and Pin has potential a drawback for the consumer - it could lead to a shift of liability for losses back to them. The banks and merchants first fall back will always be that the consumer was irresponsible with their pin (i.e. what happens if you lose your debit card and someone has your pin). There is debate whether that position will survive scrutiny especially in a mass loss event but it isn't all roses on the other side.
They can't hold you liable for irresponsibility. They could force you prove it wasn't you doing the transaction.
Black Lives Matter

"To wield Grond, the mighty hammer of the Federal Government, is to be intoxicated with power beyond what you and I can reckon (though I figure we can ball park it pretty good with computers and maths). Need to tunnel through a mountain? Grond. Kill a mighty ogre? Grond. Hangnail? Grond. Spider? Grond (actually, that's a legit use, moreso than the rest)." - Peacedog
Post Reply