Tag Archives: account

Twitter is purging accounts that were trying to evade prior suspensions

Twitter announced this afternoon it will begin booting accounts off its service from those who have tried to evade their account suspension. The company says that the accounts in question are users who have been previously suspended on Twitter for their abusive behavior, or for trying to evade a prior suspension. These bad actors have been able to work around Twitter’s attempt to remove them by setting up another account, it seems. The company says the new wave of suspensions will hit this week and will continue in the weeks ahead, as it’s able to identify others who are “attempting to Tweet following an account suspension.”  This week, we are suspending accounts for attempting to evade an account suspension. These accounts were previously suspended for abusive behavior or evading a previous suspension, and are not allowed to continue using Twitter. — Twitter Safety (@TwitterSafety) August 14, 2018 Twitter’s announcement on the matter – which came in the form of a tweet – was light on details. We asked the company for more information. It’s unclear, for example, how Twitter was able to identify the same persons had returned to Twitter, how many users will be affected by this new ban, or what impact this will have on Twitter’s currently stagnant user numbers. Twitter was not able to answer our questions, when asked for comment. The company has been more recently focused on aggressively suspending accounts, as part of the effort to stem the flow of disinformation, bots, and abuse on its service. The Washington Post, for example, said last month that Twitter had suspended as many as 70 million accounts between the months of May and June, and was continuing in July at the same pace. The removal of these accounts didn’t affect the company’s user metrics , Twitter’s CFO later clarified. Even though they weren’t a factor, Twitter’s user base is shrinking. The company actually lost a million monthly active users in Q2, with 335 million overall users and 68 million in the U.S.

Read More »

Hackers on new ‘secure’ phone networks can bill your account for their roaming charges

I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g. when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes. One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network , which connected five Scandinavian phone systems in 1991, using the SS7 protocol suite secured entirely by mutual trust, has grown into a massive global “private internet” connecting more than 2,000 companies and other entities. It is this private network-of-networks that lets you fly to another country and use your phone there, among many other services. The quote which stood out most starkly from her slides regarding IPX was this: “Security awareness only recently started (2014).” That’s … awfully late to start thinking about security for a massive semi-secret global network with indirect access to essentially every phones, connected car, and other mobile/SIM-card enabled device on the planet. He understated grimly.

Read More »

Facebook now requiring Pages with large US audiences to go through additional authorization

Facebook today announced it’s implementing a new measure to secure Facebook Pages with large U.S. followings in order to make it harder for people to administer a Page using a “fake or compromised account.” Beginning with those that have large U.S. followings, some Facebook Pages will now have to go through a “Page Publishing Authorization” process. This will require the Page managers to secure their accounts and verity their location. Facebook says the process only takes a few minutes to complete. If a Page requires this authorization, the Page admins will receive a notice at the top of their News Feed directing them to begin the process. If they choose not to submit to Authorization, they will no longer be able to post to their Pages, the company says. Enforcement will begin this month. When the Page owners click through, a message informs them why this is being done and what steps they have to take. To secure their account, Facebook is asking the Page manager to secure their account using two-factor authentication. This makes it more difficult for their account to be hijacked by a third-party, and is a best practice that all Facebook users – not just Page admins – should follow. Separately, the Facebook Page managers will need to verify their location. This will then be set as the Page’s primary country and display in the new Page Info tab Facebook introduced in June . Here, Facebook will also show a list of countries of the people who manage the Page, and how many managers hail from each country in that list. In addition, under Page History, Facebook will show when a Page has merged with another

Read More »

Niantic explains how and why it bans players in Pokémon GO

Getting banned for cheating is nothing new in Pokémon GO. There’ve been big ol’ ban waves every few weeks for ages now. The policies have never been totally set in stone, however — at least not publicly. Like many of the game’s mechanics, the player base has had to share info amongst themselves to figure out the offenses and their relative punishments, from slaps on the wrist to lifetime bans. At long last, Niantic has published a proper “ Three-Strike Discipline Policy .” As the name implies, most infractions will be handled on a three-strike system. Niantic notes, however, that “some misbehaviors” (they leave that one pretty open-ended) will work out to an instant perma ban. So what’s worthy of a strike? Spoofing (making the game think you’re somewhere you’re not), using modified Pokémon GO clients or bots or doing something that accesses Pokémon GO’s backend in an unauthorized way. On the first strike, you’ll get a warning message. You’ll still be able to play, technically, but you won’t see anything even remotely rare for seven days. On the second strike, they’ll close your account for a month. On the third strike, the account is banned for good. And if you think you got stuck in the crosshairs by accident? Niantic has an appeal process for that. It’s worth noting that these punishments aren’t really new ; bans of all variety have been happening since shortly after the game’s release

Read More »

Reddit CEO tells user, “we are not the thought police,” then suspends that user

Enlarge / Steve Huffman, cofounder and chief executive officer of Reddit Inc., listens during a Bloomberg Technology television interview in San Francisco in 2017. (credit: David Paul Morris/Bloomberg via Getty Images ) A Reddit user has found himself at the end of a week-long suspension—and from the look of his account, it might have come because he publicly shared a "direct message" exchange with Reddit CEO Steve "spez" Huffman over the platform's handling of hate speech. Reddit has confirmed to Ars Technica that Huffman's conversation, as posted by user "whatllmyusernamebe" on Sunday , is legitimate. The conversation begins with Huffman responding to the question, "Why do you admins not just ban hate speech?" spez: Our violent speech policy is effectively that. whatll: I'd argue that hate speech should be banned with its own rule, separate from the violence policy. But thank you for replying. spez: Hate speech is difficult to define. There's a reason why it's not really done. Additionally, we are not the thought police. It's not the role of a private company to decide what people can and cannot say. whatll: But it *is* the role of a private company to decide what people can and cannot say *on its own platform*.

Read More »

Timehop discloses July 4 data breach affecting 21 million

Timehop  has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users. Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack. The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached. According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday. Timehop publicly disclosed the breach in a blog post  on Saturday, several days after discovering the attack. It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected. However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service. “If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.” It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”. “We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds. In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication. That’s very clearly a major security failure — but one Timehop does not explicitly explain, writing only that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.” Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was more than one vulnerable account for attackers to target. Its exec team will certainly have questions to answer about why multifactor authentication was not universally enforced for all its cloud accounts. For now, by way of explanation, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data.

Read More »

Facebook mistakenly leaked developer analytics reports to testers

Set the “days without a Facebook privacy problem” counter to zero. This week, an alarmed developer contacted TechCrunch, informing us that their Facebook App Analytics weekly summary email had been delivered to someone outside their company. It contains sensitive business information, including weekly average users, page views and new users. Forty-three hours after we contacted Facebook about the issue, the social network now confirms to TechCrunch that 3 percent of apps using Facebook Analytics had their weekly summary reports sent to their app’s testers, instead of only the app’s developers, admins and analysts. Testers are often people outside of a developer’s company. If the leaked info got to an app’s competitors, it could provide them an advantage. At least they weren’t allowed to click through to view more extensive historical analytics data on Facebook’s site. Facebook tells us it has fixed the problem and no personally identifiable information or contact info was improperly disclosed. It plans to notify all impacted developers about the leak today and has already begun. Below you can find the email the company is sending: Subject line: We recently resolved an error with your weekly summary email We wanted to let you know about a recent error where a summary e-mail from Facebook Analytics about your app was sent to testers of your app ‘APP NAME WILL BE DYNAMICALLY INSERTED HERE’. As you know, we send weekly summary emails to keep you up to date with some of your top-level metrics — these emails go to people you’ve identified as Admins, Analysts and Developers. You can also add Testers to your account, people designated by you to help test your apps when they’re in development.

Read More »

Facebook is updating how you can authenticate your account logins

You’ll soon have more options for staying secure on Facebook with two-factor authentication. Facebook is simplifying the process for two-factor verification on its platform so you won’t have to give the company your phone number just to bring additional security to your device. The company announced today that it is adding support for third-party authentication apps like Duo Security and Google Authenticator while streamlining the setup process to make it easier to get moving with it in the first place. Two-factor authentication is a pretty widely supported security strategy that adds another line of defense for users so they aren’t screwed if their login credentials are compromised. SMS isn’t generally considered the most secure method for 2FA because it’s possible for hackers to take control of your SIM and transfer it to a new phone through a process that relies heavily on social engineering, something that isn’t as much of a risk when using hardware-based authentication devices or third-party apps. Back in March, Facebook CSO Alex Stamos notably  apologized after users started complaining that Facebook was spamming them on the phone numbers with which they had signed up for two-factor authentication. They insisted that it won’t happen again, but it also definitely won’t if they don’t have your number to begin with. The new functionality is available in the “Security and Login” tab in your Facebook settings.

Read More »

Apple introduces new privacy portal to comply with GDPR

Apple is the latest tech giant to make changes to comply with GDPR, the EU’s privacy data rules , after it introduced a new website that shows customers exactly what personal data it holds on them. Accessible via an ‘Apple ID Data & Privacy’ website — which was first spotted by 9to5Mac — Apple customers can request access to the full gamut of personal data, which includes sign-in history, contacts, calendar, notes, photos and documents, as well as services such as Apple Music, the App Store, iTunes, and Apple Care. Dependent on the data records selected, Apple may take as long as two weeks to assemble the information while the company said the data will be deleted after two weeks. Apple allows users to select the size of their data download — which goes as high as 25GB or can be split into smaller chunks — while it will also apparently be made available in standard data formats, meaning it can be stored and easily accessed. The data site also gives users the option to correct data, deactivate their account and delete all information held by Apple in compliance with GDPR. Deleting data is exactly as the term suggests, while deactivation means an account is made unavailable temporarily. In the latter case, all data and services associated with the account — for example, phone book contacts, FaceTime or purchase made in iTunes — will be inaccessible whilst it is deactivated. The data service is initially available in EU countries,  Iceland, Liechtenstein, Norway, and Switzerland, but Apple said it plans to expand the options across the rest of the world later this year.

Read More »

Twitter delays shutdown of legacy APIs as it launches a replacement

Twitter is giving developers more time to adjust to its API platform overhaul, which has affected some apps ‘ ability to continue operating in the same fashion. The company clarified this morning, along with news of the general availability of its Account Activity API , that it will be delaying the shutdown of some of its legacy APIs. That is, APIs originally slated for a June 19, 2018 shutdown – including Site Streams, User Streams, and legacy Direct Message Endpoints – will now be deprecated on Wednesday, August 16, 2018. The news follows an announcement from Favstar  that said it will end its business when the older APIs are shut down for good. And it follows the relaunched Mac app from Tweetbot,  which includes a list of changes as to how the app will work when the API changes go into effect. Twitter had said back in April that it would delay the scheduled June 19th deprecation date, but didn’t announce a new date at that time. That may have led some developers to believe that a longer reprieve was in order while Twitter rethought its plans. Today, Twitter says that’s not the case. With the public launch of the Account Activity API , developers can transition to the new API platform. Plus, the beta that only offered Direct Messages is being shut down on August 16th, 2018, Twitter says. (Migration details on that are  here .) Twitter is also reducing the number of subscriptions from the 35 accounts allowed during the beta to 15 free subscriptions for its Premium Sandbox of the API – the free tier meant as way for developers to experiment

Read More »