The Data Breach Thread

Everything else!

Moderators: Bakhtosh, EvilHomer3k

User avatar
Anonymous Bosch
Posts: 10512
Joined: Thu Oct 14, 2004 6:09 pm
Location: Northern California [originally from the UK]

Re: The Data Breach Thread

Post by Anonymous Bosch »

hitbyambulance wrote: Thu May 06, 2021 6:35 pm a cautionary tale:

the lift never actually occurred. i called TransUnion to try to figure this out, and they wanted the PIN. where did i write that down? i can't find it. i am 100% sure i wrote that down, but it's not where i am positive i recorded it. ok, so they asked me a security question on what was my credit limit on the credit card i opened in 1996. ummmmm.

so now i have to send in documentation and a photocopy of my state ID to try to get my account restored. at no time was the question 'why isn't the web portal to lift the credit freeze actually functioning as intended?' actually answered, because no one knew.

EDIT: i just went on the webpage and changed my PIN. no security questions asked at all.
That's a useful illustration of why it's prudent to store such vital info using a secure password manager instead of just writing it down somewhere easily misplaced. All the moreso with solid FOSS options available, like Bitwarden and KeePass / KeePassXC.
"There is only one basic human right, the right to do as you damn well please. And with it comes the only basic human duty, the duty to take the consequences." — P. J. O'Rourke
User avatar
hitbyambulance
Posts: 10233
Joined: Wed Oct 13, 2004 3:51 am
Location: Map Ref 47.6°N 122.35°W
Contact:

Re: The Data Breach Thread

Post by hitbyambulance »

update: supposedly figured out, but i was required to pay a $50 deposit on the service that will supposedly be refunded at the end of twelve months' continuous service. some looking this up indicates this deposit is charged for people with less-than-stellar credit scores, or if the credit report could not be pulled. i have an excellent credit rating, so i'm not sure what this is about.
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

hitbyambulance wrote: Fri May 07, 2021 3:42 pm update: supposedly figured out, but i was required to pay a $50 deposit on the service that will supposedly be refunded at the end of twelve months' continuous service. some looking this up indicates this deposit is charged for people with less-than-stellar credit scores, or if the credit report could not be pulled. i have an excellent credit rating, so i'm not sure what this is about.
This is what I expect when I go to cable cord cut and get a new ISP, only I was prepped for something like $250 held over a 24 month period.
User avatar
Anonymous Bosch
Posts: 10512
Joined: Thu Oct 14, 2004 6:09 pm
Location: Northern California [originally from the UK]

Re: The Data Breach Thread

Post by Anonymous Bosch »

A New Kind of Ransomware Tsunami Hits Hundreds of Companies
wired.com wrote:An apparent supply chain attack exploited Kaseya's IT management software to encrypt a "monumental" number of victims all at once.

It was probably inevitable that the two dominant cybersecurity threats of the day—supply chain attacks and ransomware—would combine to wreak havoc. That’s precisely what happened Friday afternoon, as the notorious REvil criminal group successfully encrypted the files of hundreds of businesses in one swoop, apparently thanks to compromised IT management software. And that’s only the very beginning.

The situation is still developing and certain details—most important, how the attackers infiltrated the software in the first place—remain unknown. But the impact has already been severe and will only get worse given the nature of the targets. The software in question, Kaseya VSA, is popular among so-called managed service providers, which provide IT infrastructure for companies that would rather outsource that sort of thing than run it themselves. Which means that if you successfully hack an MSP, you suddenly have access to its customers. It’s the difference between cracking safe-deposit boxes one at a time and stealing the bank manager’s skeleton key.

So far, according to security company Huntress, REvil has hacked eight MSPs. The three that Huntress works with directly account for 200 businesses that found their data encrypted Friday. It doesn’t take much extrapolation to see how much worse it gets from there, especially given Kaseya’s ubiquity.

“Kaseya is the Coca-Cola of remote management,” says Jake Williams, chief technology officer of the incident response firm BreachQuest. “Because we’re going into a holiday weekend, we won’t even know how many victims are out there until Tuesday or Wednesday of next week. But it’s monumental.”

Worst of Both Worlds
MSPs have long been a popular target, particularly of nation-state hackers. Hitting them is a terrifically efficient way to spy, if you can manage it. As a Justice Department indictment showed in 2018, China’s elite APT10 spies used MSP compromises to steal hundreds of gigabytes of data from dozens of companies. REvil has targeted MSPs before, too, using its foothold into a third-party IT company to hijack 22 Texas municipalities at once in 2019.

Supply chain attacks have become increasingly common as well, most notably in the devastating SolarWinds campaign last year that gave Russia access to multiple US agencies and countless other victims. Like MSP attacks, supply chain hacks also have a multiplicative effect; tainting one software update can yield hundreds of victims.

You can start to see, then, why a supply chain attack that targets MSPs has potentially exponential consequences. Throw system-crippling ransomware into the mix, and the situation becomes even more untenable. It brings to mind the devastating NotPetya attack, which also used a supply chain compromise to spread what at first seemed like ransomware but was really a nation-state attack perpetrated by Russia. A more recent Russian campaign comes to mind as well.

“This is SolarWinds, but with ransomware,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “When a single MSP is compromised, it can impact hundreds of end users. And in this case it seems that multiple MSPs have been compromised, so …”

BreachQuest's Williams says that REvil appears to be asking victim companies for the equivalent of roughly $45,000 in the cryptocurrency Monero. If they fail to pay within a week, the demand doubles. Security news site BleepingComputer reports that REvil has asked some victims for $5 million for a decryption key that unlocks “all PCs of your encrypted network,” which may be targeted to MSPs specifically rather than their clients.

“We often talk about MSPs being the mother ship for many small-to-medium business and organizations,” says John Hammond, senior security researcher at Huntress. “But if Kaseya is what is hit, bad actors just compromised all of their mother ships.”
"There is only one basic human right, the right to do as you damn well please. And with it comes the only basic human duty, the duty to take the consequences." — P. J. O'Rourke
User avatar
telcta
Posts: 1113
Joined: Mon Dec 20, 2004 3:47 pm
Location: Connecticut

Re: The Data Breach Thread

Post by telcta »

T-Mobile

Oh, man… I just switched to T-Mobile.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

Oh look another time my data has been stolen. I wonder when an individuals data has been stolen and resold enough that it stops becoming valuable.
User avatar
gilraen
Posts: 4312
Joined: Wed Sep 04, 2013 7:45 pm
Location: Broomfield, CO

Re: The Data Breach Thread

Post by gilraen »

malchior wrote: Mon Aug 16, 2021 8:00 pm Oh look another time my data has been stolen. I wonder when an individuals data has been stolen and resold enough that it stops becoming valuable.
I think that's pretty much how I feel at this point.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

gilraen wrote: Tue Aug 17, 2021 10:15 am
malchior wrote: Mon Aug 16, 2021 8:00 pm Oh look another time my data has been stolen. I wonder when an individuals data has been stolen and resold enough that it stops becoming valuable.
I think that's pretty much how I feel at this point.
The only annoying part is that I have to constantly be on guard because of it. I mentioned it elsewhere but someone filed a blatantly, obvious false unemployment claim in my name. I think it is reasonable to think it is adjacent to one of these data breaches. And what'll happen to T-Mobile? They'll maybe give us some pittance settlement or some free credit monitoring. I guess I'll throw that on my pile of other free credit monitoring from other data breaches.
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

So much that. Everyone wants to give me free credit monitoring as restitution for not protecting the stuff they mandate I give them or they take without my permission. T Mobile is particularly bad in this instance because everything has gotten worse since they bought accounts related to me and my family. They made my Sprint service demonstrably worse and absolutely destroyed my parents Boost service (which was fine through Sprint service but is now garbage through T Mobile) and forced rate hikes. And not they just exposed all my data *again*. At least my credit is already frozen from the Equifax"you might be compromised but we sincerely don't think so... No wait, now that we've had a few months to lawsuit about it you have definitely been tanked."

Also 5 years later and I've never received any of my refunds Equifax for the cost (and time) of credit freezing, nor have I actually received any of their monitoring services.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

Not a data breach but cybersecurity news nonetheless. You might want to rethink your VPN provider if you use ExpressVPN or other Kape Technology VPN products. They employ an ethically dubious CTO who was responsible for hacking American computers in service of the UAE government. He is currently under a deferred prosecution agreement for those crimes. Kape is inexplicably standing by him and saying he is the right person for the job because he used to be a spy for a foreign government's offensive hacking operation. An odd position for a company who's product is based on trust that they are not spying on your traffic.
On Tuesday, Reuters reported that Daniel Gericke, who joined ExpressVPN as CIO in December 2019, was among the three former US intelligence and military operatives who, under a deal to avoid prosecution, admitted to violating US hacking laws by working as "cyber spies" for the United Arab Emirates and were fined $1.6 million.

Gericke, along with two ex-US intelligence operatives Marc Baier and Ryan Adams, was reportedly part of Project Raven, a covert team tasked with building the UAE's Karma hacking system and hacking into the accounts of human rights activists, journalists, and rival governments “at the behest of the UAE’s monarchy,” according to a 2019 Reuters investigation.

The revelations of Daniel Gericke’s involvement in Project Raven surfaced a day after the $936-million acquisition of ExpressVPN by Kape Technologies, a company that already owns three other VPNs in Private Internet Access, ZenMate and CyberGhost.
User avatar
Anonymous Bosch
Posts: 10512
Joined: Thu Oct 14, 2004 6:09 pm
Location: Northern California [originally from the UK]

Re: The Data Breach Thread

Post by Anonymous Bosch »

malchior wrote: Thu Sep 23, 2021 11:46 pm Not a data breach but cybersecurity news nonetheless. You might want to rethink your VPN provider if you use ExpressVPN or other Kape Technology VPN products. They employ an ethically dubious CTO who was responsible for hacking American computers in service of the UAE government. He is currently under a deferred prosecution agreement for those crimes. Kape is inexplicably standing by him and saying he is the right person for the job because he used to be a spy for a foreign government's offensive hacking operation. An odd position for a company who's product is based on trust that they are not spying on your traffic.
On Tuesday, Reuters reported that Daniel Gericke, who joined ExpressVPN as CIO in December 2019, was among the three former US intelligence and military operatives who, under a deal to avoid prosecution, admitted to violating US hacking laws by working as "cyber spies" for the United Arab Emirates and were fined $1.6 million.

Gericke, along with two ex-US intelligence operatives Marc Baier and Ryan Adams, was reportedly part of Project Raven, a covert team tasked with building the UAE's Karma hacking system and hacking into the accounts of human rights activists, journalists, and rival governments “at the behest of the UAE’s monarchy,” according to a 2019 Reuters investigation.

The revelations of Daniel Gericke’s involvement in Project Raven surfaced a day after the $936-million acquisition of ExpressVPN by Kape Technologies, a company that already owns three other VPNs in Private Internet Access, ZenMate and CyberGhost.
Indeed, in terms of consumer privacy, the primary concern with VPN services such as ExpressVPN has always been that when using a third party provider, you have to trust in them not to log your browser activity and hand it out to others, and not to allow SNAFUs like this to happen. Which kinda flies in the face of what they invariably claim to offer, as aptly explained in the video below:

"There is only one basic human right, the right to do as you damn well please. And with it comes the only basic human duty, the duty to take the consequences." — P. J. O'Rourke
User avatar
hepcat
Posts: 51302
Joined: Wed Oct 13, 2004 3:02 pm
Location: Chicago, IL Home of the triple homicide!

Re: The Data Breach Thread

Post by hepcat »

Hmmm....I use Private Internet Access but didn't realize they'd been bought by Kape back in 2019. I'll need to do some investigatin' now.
Covfefe!
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

Company that routes SMS for all major US carriers was hacked for five years
Syniverse, a company that routes hundreds of billions of text messages every year for hundreds of carriers including Verizon, T-Mobile, and AT&T, revealed to government regulators that a hacker gained unauthorized access to its databases for five years. Syniverse and carriers have not said whether the hacker had access to customers' text messages.

A filing with the Securities and Exchange Commission last week said that "in May 2021, Syniverse became aware of unauthorized access to its operational and information technology systems by an unknown individual or organization. Promptly upon Syniverse's detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals."

Syniverse said that its "investigation revealed that the unauthorized access began in May 2016" and "that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer ('EDT') environment was compromised for approximately 235 of its customers."
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

Time to change another password...

Twitch source code and creator payouts reportedly part of massive leak
Twitch appears to have been hacked, leaking source code for the company’s streaming service, an unreleased Steam competitor from Amazon Game Studios, and details of creator payouts. An anonymous poster on the 4chan messaging board has released a 125GB torrent, which they claim includes the entirety of Twitch and its commit history.

The poster claims the leak is designed to “foster more disruption and competition in the online video streaming space.” While The Verge is unable to immediately verify the contents of the leak, Video Games Chronicle reports that it’s legit.

The leak is said to include the following:
  • 3 years worth of details regarding creator payouts on Twitch.
  • The entirety of twitch.tv, “with commit history going back to its early beginnings.”
  • Source code for the mobile, desktop, and video game console Twitch clients.
  • Code related to proprietary SDKs and internal AWS services used by Twitch.
  • An unreleased Steam competitor from Amazon Game Studios.
  • Data on other Twitch properties like IGDB and CurseForge.
  • Twitch’s internal security tools.
The leak is labelled as “part one,” suggesting there could be more to come. Video Games Chronicle reports that the data may have been obtained as early as this week and that Twitch is aware of the breach.
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
Blackhawk
Posts: 43491
Joined: Tue Oct 12, 2004 9:48 pm
Location: Southwest Indiana

Re: The Data Breach Thread

Post by Blackhawk »

Time to stop using the client for a while, too.
(˙pǝsɹǝʌǝɹ uǝǝq sɐɥ ʎʇıʌɐɹƃ ʃɐuosɹǝd ʎW)
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

I also wouldn't assume that whatever problems might bedevil the client won't translate to some vector in the web client - though there would need to be a browser vulnerability on top so it's likely lower risk to be sure.
User avatar
Pyperkub
Posts: 23583
Joined: Mon Dec 13, 2004 5:07 pm
Location: NC- that's Northern California

Re: The Data Breach Thread

Post by Pyperkub »

BrewDog App:
Every mobile app user was given the same hard coded API Bearer Token, rendering request authorisation useless
It was therefore trivial for any user to access any other user’s PII, shareholding, bar discount, and more
Disclosure was rather fraught. Instead of being ‘cool’ as we had hoped, given their reputation as being a bit counter-culture, BrewDog instead declined to inform their shareholders and asked not to be named. It took 4 failed fixes to properly resolve the problem.
Black Lives definitely Matter Lorini!

Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

My Equifax claims have been denied. May the company die a thousand firey deaths.
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

New Bluetooth hack can unlock your Tesla—and all kinds of other devices
When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range.

Now, a researcher has devised a hack that allows him to unlock millions of Teslas—and countless other devices—even when the authenticating phone or key fob is hundreds of yards or miles away. The hack, which exploits weaknesses in the Bluetooth Low Energy standard adhered to by thousands of device makers, can be used to unlock doors, open and operate vehicles, and gain unauthorized access to a host of laptops and other security-sensitive devices.

“Hacking into a car from hundreds of miles away tangibly demonstrates how our connected world opens us up to threats from the other side of the country—and sometimes even the other side of the world,” Sultan Qasim Khan, a principal security consultant and researcher at security firm NCC Group, told Ars. “This research circumvents typical countermeasures against remote adversarial vehicle unlocking and changes the way we need to think about the security of Bluetooth Low Energy communications.”

This class of hack is known as a relay attack, a close cousin of the person-in-the-middle attack. In its simplest form, a relay attack requires two attackers. In the case of the locked Tesla, the first attacker, which we’ll call Attacker 1, is in close proximity to the car while it’s out of range of the authenticating phone. Attacker 2, meanwhile, is in close proximity to the legitimate phone used to unlock the vehicle. Attacker 1 and Attacker 2 have an open Internet connection that allows them to exchange data.

Attacker 1 uses her own Bluetooth-enabled device to impersonate the authenticating phone and sends the Tesla a signal, prompting the Tesla to reply with an authentication request. Attacker 1 captures the request and sends it to Attacker 2, who in turn forwards the request to the authenticating phone. The phone responds with a credential, which Attacker 2 promptly captures and relays back to Attacker 1. Attacker 1 then sends the credential to the car.
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
Jaymann
Posts: 19319
Joined: Mon Oct 25, 2004 7:13 pm
Location: California

Re: The Data Breach Thread

Post by Jaymann »

How do you turn off phone activation?

Edit: I put it in valet mode until I hear more.
Jaymann
]==(:::::::::::::>
Black Lives Matter
User avatar
Blackhawk
Posts: 43491
Joined: Tue Oct 12, 2004 9:48 pm
Location: Southwest Indiana

Re: The Data Breach Thread

Post by Blackhawk »

That is a problem, but it would have to be a planned, deliberate attack, not something people are likely to use against random targets.
(˙pǝsɹǝʌǝɹ uǝǝq sɐɥ ʎʇıʌɐɹƃ ʃɐuosɹǝd ʎW)
User avatar
Max Peck
Posts: 13682
Joined: Fri Aug 05, 2005 8:09 pm
Location: Down the Rabbit-Hole

Re: The Data Breach Thread

Post by Max Peck »

If I understood the attack, a team would just need to hang out somewhere suitable and wait for someone to park a fancy car. One stays near the target vehicle while the other follows the driver and triggers the attack so that their partner can gain access to the vehicle.
"What? What? What?" -- The 14th Doctor

It's not enough to be a good player... you also have to play well. -- Siegbert Tarrasch
User avatar
Rumpy
Posts: 12672
Joined: Sun Mar 27, 2005 6:52 pm
Location: Sudbury, Ontario, Canada

Re: The Data Breach Thread

Post by Rumpy »

Sounds very similar to how they can intercept a keyfob signal, which is something that I think happened to us one Christmas after parking in a parking garage. We'd parked and headed off to visit the market area for a few hours, and when we came back, we found we had been broken into, though with no discernible damage to the vehicle. They'd stolen quite a few things.
PC:
Ryzen 5 3600
32GB RAM
2x1TB NVMe Drives
GTX 1660 Ti
User avatar
telcta
Posts: 1113
Joined: Mon Dec 20, 2004 3:47 pm
Location: Connecticut

Re: The Data Breach Thread

Post by telcta »


Spoiler:
Something is up with @Ally - fraud tweets giant spike yesterday. Was there a data breach?
I didn't think too much about this but some of the articles I read while poking around for more information mentioned this happened to people that never use their debit card and in some cases the debit card was never activated.

So I logged into my Ally app, and I see 6 transactions in August. Even though they were approved, nothing was withdrawn from the checking account. I called Ally and they said those transactions ended up being declined because the expiration date was wrong. I then checked my wife's debit card since we have a joint account, we have two separate cards and she had 1 fraudulent debit transaction in August.

I haven't seen anything official about an ongoing issue or if it's an Ally bank / MasterCard breach... but thought I'd post here.

If you're with Ally, check the "Manage Debit Card" section of your checking account in the Ally Mobile App to review the activity list. If you do see any unknown charges, call and get a new card.
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

My bank card acts as a debit card which annoys me. For years my CU asked me to turn my card in to debit card and I declined. Then one day they just made into a debit card anyway. I have to activate it so I can use the ATM. *Harumph*
User avatar
telcta
Posts: 1113
Joined: Mon Dec 20, 2004 3:47 pm
Location: Connecticut

Re: The Data Breach Thread

Post by telcta »

I was always warned that using debit cards for purchases was more difficult to get money back into checking if there was a problem. I’ve been trying to go as cashless as possible now I’m retired and budgeting everything through credit cards. I know, sounds crazy.
User avatar
hepcat
Posts: 51302
Joined: Wed Oct 13, 2004 3:02 pm
Location: Chicago, IL Home of the triple homicide!

Re: The Data Breach Thread

Post by hepcat »

I've been using a debit card for a long time. Never had an ounce of trouble. And I've been with Ally for the last 4 or 5 years, using their debit card as well. No problems there either.
Covfefe!
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

I have no need for a debit card so having one is just one more thing to track. Before ID theft was ubiquitous and tracking your banking on the Internet was a thing, I rejected the debit card because of fees. Then it was because my CC pays me to use it. Then came the ID theft concerns.
User avatar
telcta
Posts: 1113
Joined: Mon Dec 20, 2004 3:47 pm
Location: Connecticut

Re: The Data Breach Thread

Post by telcta »

hepcat wrote: Wed Aug 24, 2022 1:35 pm I've been using a debit card for a long time. Never had an ounce of trouble. And I've been with Ally for the last 4 or 5 years, using their debit card as well. No problems there either.
The more I read about this, it seems more like a Mastercard issue. I’m a big Ally fan as their interest rates have been hard to match elsewhere… almost back to 2% for savings which is great.

For never using my debit card it was really concerning to me. I’m a big advocate for putting alerts for anything the app offers. I set an alert for any debit transaction over a dollar, I get a text. A little piece of mind.
User avatar
stessier
Posts: 29816
Joined: Tue Dec 21, 2004 12:30 pm
Location: SC

Re: The Data Breach Thread

Post by stessier »

telcta wrote: Wed Aug 24, 2022 1:26 pm I was always warned that using debit cards for purchases was more difficult to get money back into checking if there was a problem. I’ve been trying to go as cashless as possible now I’m retired and budgeting everything through credit cards. I know, sounds crazy.
I've never used my debit card -always credit cards. I don't think I've had cash in my wallet in years. Credit cards are great as long as you have the discipline to pay them off every month.
I require a reminder as to why raining arcane destruction is not an appropriate response to all of life's indignities. - Vaarsuvius
Global Steam Wishmaslist Tracking
Running____2014: 1300.55 miles____2015: 2036.13 miles____2016: 1012.75 miles____2017: 1105.82 miles____2018: 1318.91 miles__2019: 2000.00 miles
User avatar
hepcat
Posts: 51302
Joined: Wed Oct 13, 2004 3:02 pm
Location: Chicago, IL Home of the triple homicide!

Re: The Data Breach Thread

Post by hepcat »

telcta wrote: Wed Aug 24, 2022 1:50 pm
hepcat wrote: Wed Aug 24, 2022 1:35 pm I've been using a debit card for a long time. Never had an ounce of trouble. And I've been with Ally for the last 4 or 5 years, using their debit card as well. No problems there either.
The more I read about this, it seems more like a Mastercard issue. I’m a big Ally fan as their interest rates have been hard to match elsewhere… almost back to 2% for savings which is great.

For never using my debit card it was really concerning to me. I’m a big advocate for putting alerts for anything the app offers. I set an alert for any debit transaction over a dollar, I get a text. A little piece of mind.
What drives me nuts is that some gas stations will put a 100 dollar charge on your card as a deposit when filling up at their station, then refund that 100 and charge what you bought. I had an alert go off for that a few times with the gas station down the street from me. And even though Ally support assured me it wasn't an uncommon practice, I still avoid that place like the plague.
Covfefe!
User avatar
telcta
Posts: 1113
Joined: Mon Dec 20, 2004 3:47 pm
Location: Connecticut

Re: The Data Breach Thread

Post by telcta »

hepcat wrote: Wed Aug 24, 2022 1:54 pm
telcta wrote: Wed Aug 24, 2022 1:50 pm
hepcat wrote: Wed Aug 24, 2022 1:35 pm I've been using a debit card for a long time. Never had an ounce of trouble. And I've been with Ally for the last 4 or 5 years, using their debit card as well. No problems there either.
The more I read about this, it seems more like a Mastercard issue. I’m a big Ally fan as their interest rates have been hard to match elsewhere… almost back to 2% for savings which is great.

For never using my debit card it was really concerning to me. I’m a big advocate for putting alerts for anything the app offers. I set an alert for any debit transaction over a dollar, I get a text. A little piece of mind.
What drives me nuts is that some gas stations will put a 100 dollar charge on your card as a deposit when filling up at their station, then refund that 100 and charge what you bought. I had an alert go off for that a few times with the gas station down the street from me. And even though Ally support assured me it wasn't an uncommon practice, I still avoid that place like the plague.
Whoa! I never heard of that. That would be the same using a debit card? I’d hate to kick off an insufficient funds charge because a place can knowingly place a deposit like that.

I’ve seen $1 charges every now and then but never $100.
User avatar
hepcat
Posts: 51302
Joined: Wed Oct 13, 2004 3:02 pm
Location: Chicago, IL Home of the triple homicide!

Re: The Data Breach Thread

Post by hepcat »

telcta wrote: Wed Aug 24, 2022 2:00 pm
hepcat wrote: Wed Aug 24, 2022 1:54 pm
telcta wrote: Wed Aug 24, 2022 1:50 pm
hepcat wrote: Wed Aug 24, 2022 1:35 pm I've been using a debit card for a long time. Never had an ounce of trouble. And I've been with Ally for the last 4 or 5 years, using their debit card as well. No problems there either.
The more I read about this, it seems more like a Mastercard issue. I’m a big Ally fan as their interest rates have been hard to match elsewhere… almost back to 2% for savings which is great.

For never using my debit card it was really concerning to me. I’m a big advocate for putting alerts for anything the app offers. I set an alert for any debit transaction over a dollar, I get a text. A little piece of mind.
What drives me nuts is that some gas stations will put a 100 dollar charge on your card as a deposit when filling up at their station, then refund that 100 and charge what you bought. I had an alert go off for that a few times with the gas station down the street from me. And even though Ally support assured me it wasn't an uncommon practice, I still avoid that place like the plague.
Whoa! I never heard of that. That would be the same using a debit card? I’d hate to kick off an insufficient funds charge because a place can knowingly place a deposit like that.

I’ve seen $1 charges every now and then but never $100.
It happens on my debit card too from those places, so yeah.

It's actually a "hold" so I don't think it will trigger and overdraft. But I could be wrong. All I know is that it sometimes triggers my alert that I have in place telling me whenever a charge is 100 dollars or more on my debit card.

edit: I take it back. Looks like it could trigger an overdraft charge if you don't have overdraft protection.
When gas prices originally started skyrocketing, gas stations increased the “hold amount” for consumers who use credit or debit cards to pay for gas. That change could cost you more money if you can’t cover the hold.
Last edited by hepcat on Wed Aug 24, 2022 2:05 pm, edited 1 time in total.
Covfefe!
User avatar
telcta
Posts: 1113
Joined: Mon Dec 20, 2004 3:47 pm
Location: Connecticut

Re: The Data Breach Thread

Post by telcta »

stessier wrote: Wed Aug 24, 2022 1:51 pm
telcta wrote: Wed Aug 24, 2022 1:26 pm I was always warned that using debit cards for purchases was more difficult to get money back into checking if there was a problem. I’ve been trying to go as cashless as possible now I’m retired and budgeting everything through credit cards. I know, sounds crazy.
I've never used my debit card -always credit cards. I don't think I've had cash in my wallet in years. Credit cards are great as long as you have the discipline to pay them off every month.
I’m finding it a lot easier to go cashless. I write a couple checks a year. One is for taxes, even though I could do it online but I refuse to pay a convenience fee to take from my checking account (to pay with credit is a higher fee). When I find a place taking Apple Pay, like my accountant started doing, I get very excited. The small things make me happy nowadays.
Roman
Posts: 1133
Joined: Thu Oct 14, 2004 4:13 pm
Location: Earth

Re: The Data Breach Thread

Post by Roman »

Plex emailed me today to inform that they suffered a data breach and suggest a PW change.
They are saying that banking details were NOT compromised as they are stored on a separate DB.
________________________________________________________________________________________________________________________________
Dear Plex User,
We want you to be aware of an incident involving your Plex account information yesterday. While we believe the actual impact of this incident is limited, we want to ensure you have the right information and tools to keep your account secure.
What happened
Yesterday, we discovered suspicious activity on one of our databases. We immediately began an investigation and it does appear that a third-party was able to access
a limited subset of data that includes emails, usernames, and encrypted passwords. Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset. Rest assured that credit card and other payment data are not stored on our servers at all and were not vulnerable in this incident.
What we're doing
We've already addressed the method that this third-party employed to gain access to the system, and we're doing additional reviews to ensure that the security of all of our systems is further hardened to prevent future incursions. While the account passwords were secured in accordance with best practices, we're requiring all Plex users to reset their password.
What you can do
Long story short, we kindly request that you reset your Plex account password immediately. When doing so, there's a checkbox to "Sign out connected devices after password change." This will additionally sign out all of your devices (including any Plex Media Server you own) and require you to sign back in with your new password. This is a headache, but we recommend doing so for increased security. We have created a support article with step-by-step instructions on how to reset your password here.
We'd also like to remind you that no one at Plex will ever reach out to you to ask for a password or credit card number over email. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven't already done so.
Lastly, we sincerely apologize to you for any inconvenience this situation may cause. We take pride in our security system and want to assure you that we are doing everything we can to swiftly remedy this incident and prevent future incidents from occurring. We are all too aware that third-parties will continue to attempt to infiltrate IT infrastructures around the world, and rest assured we at Plex will never be complacent in hardening our security and defenses.
For step-by-step instructions on how to reset your password, visit: https://support.plex.tv/articles/accoun ... word-reset
Thank you,
The Plex Security Team
Last edited by Roman on Wed Aug 24, 2022 2:18 pm, edited 1 time in total.
While feeding all the beasties out back I let a nice big fart. The smell followed all the way back to the house. It's like it was my baby and felt abandoned.
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

telcta wrote: Wed Aug 24, 2022 2:05 pm I’m finding it a lot easier to go cashless. I write a couple checks a year. One is for taxes, even though I could do it online but I refuse to pay a convenience fee to take from my checking account (to pay with credit is a higher fee). When I find a place taking Apple Pay, like my accountant started doing, I get very excited. The small things make me happy nowadays.

I write 8 checks a year for that exact reason. 2 for taxes and six for water. I used to write 9th for my License renewal but they took the fee for using a CC down to $2 and mailing a check and filling out paperwork by hand is just so much more bothersome than doing it online and paying the $2 fee.

I've made one withdraw from the bank since August 2019. I made that withdraw of $300 when I was at the bank drive in cashing a check. I still have close to $400 in cash. As I've recently started doing quick lunches/breakfasts with my parents, I've started paying in cash on occasion for small purchase so I always have enough singles to to leave a proper tip when I dine out once a month or so.
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

Plex
As far as I know, Plex in an MRP/ERP. :oops: :think:
User avatar
LordMortis
Posts: 70100
Joined: Tue Oct 12, 2004 11:26 pm

Re: The Data Breach Thread

Post by LordMortis »

So I get an email from Kohl's (legit) about changes to my account, which I have not used in 15+ years. And they request me to contact them immediately! I try to do them a solid, but there is no one to take my call. I am referred to their website where they claim to have contact with "an associate by chat 24/7" Their "associate" is a bot that doesn't understand anything but how to point to an FAQ that has no reference ID theft. How much effort do they expect from me to do *them* a favor? My credit has been blocked since Equifax made my information a free for all.
User avatar
Hrothgar
Posts: 1087
Joined: Wed Oct 13, 2004 11:38 pm
Location: Houston, TX
Contact:

Re: The Data Breach Thread

Post by Hrothgar »

LastPass. Perhaps some of the more cybersecurity focused people here can explain if this is a bad one or not.
malchior
Posts: 24794
Joined: Wed Oct 13, 2004 12:58 pm

Re: The Data Breach Thread

Post by malchior »

The problem is that LastPass has made some ... ahem ... possibly shady decisions in the wake of the incident. Which looks to be severe. There are significant questions about whether we should trust them any longer. Loss of trust is generally a kiss of death for cybersecurity firms.

Beyond the issues of trust, there are significant technical problems such as the fact that they didn't encrypt the vault. They only protected some fields such as the password. Even then the encrypted data is only protected by strength of the master password.

The flat file being partially encrypted means data was leaked. This opens the door to social engineering attacks and such. A real mess. I personally would move off LastPass password vault if I was a user.
Post Reply