Home / Tag Archives: breach

Tag Archives: breach

Here’s how to find out if your Facebook was hacked in the breach

Are you one of the 30 million users hit by Facebook’s access token breach announced two weeks ago ? Here’s how to find out. Facebook breach saw 15M users’ names & contact info accessed, 14M’s bios too Visit this Facebook Help center link while logged in:  https://www.facebook.com/help/securitynotice?ref=sec . Scroll down to the section “Is my Facebook account impacted by this security issue?” Here you’ll see a Yes or No answer to whether your account was one of the 30 million users impacted. Those affected will also receive a warning like this atop their News Feed: If Yes, you’ll be in one of three categories: A. You’re in the 15 million users’ whose name plus email and/or phone number was accessed. B. You’re in the 14 million users’ who had that data plus account bio data accessed including “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches”. C. You’re in the 1 million users whose access token was stolen but your account was never actually accessed with it. Lucky you.   So what should you do if you were hacked? You don’t necessarily have to change your Facebook password or credit card info as there’s no evidence that data was accessed in the attack Watch out for spam or scam calls, emails, or messages as your contact info could have been sold to unscrupulous businesses Be on alert for phishing attempts that may try to email you and get you to sign in to one of your online accounts on a fake page that will steal your data.

Read More »

Animoto hack exposes personal information, geolocation data

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach. The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general. Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but it wasn’t clear if the hackers gained the private key, which could be used to reveal the passwords in plain text. The company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.” Payment data is not thought to be affected as it’s stored in a separate system, the company said. Animoto did not immediately return a request for comment. TechCrunch will update once we learn more. The New York City-based company did not say how many users were affected by the breach, but last August claimed more than 20 million users on its platform. Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users , exposing their names, email addresses, gender and dates of birth . Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services. Animoto didn’t say how its breach occurred but pointed to “suspicious activity” on its systems. The company also said it reset employee passwords and reduced employees’ access to critical systems.

Read More »

Animoto hack exposes personal information, geolocation data

Animoto, a cloud-based video maker service for social media sites, has revealed a data breach. The breach occurred on July 10 but was confirmed by the company in early August, and later reported to the California attorney general. Names, dates of birth and user email addresses were accessed by hackers, but the company said it wasn’t known if data had been exfiltrated. The company also said that users’ scrambled passwords were exposed in the breach, but it wasn’t clear if the hackers gained the private key, which could be used to reveal the passwords in plain text. The company also said in a security announcement that user geolocations were also exposed to hackers, but noted that it “does not keep geolocation information for all users.” Payment data is not thought to be affected as it’s stored in a separate system, the company said. Animoto did not immediately return a request for comment. TechCrunch will update once we learn more. The New York City-based company did not say how many users were affected by the breach, but last August claimed more than 20 million users on its platform. Animoto is the latest social media service to be breached. Last month, Timehop revealed a breach affecting 21 million users , exposing their names, email addresses, gender and dates of birth . Timehop’s breach was largely attributable to the company’s lack of two-factor authentication on its network, which helps prevent hackers from reusing already exposed credentials from breaches of other sites and services.

Read More »

Australian teen pleads guilty to hacking Apple

An Australian teenager pleaded guilty today to charges over repeatedly hacking into Apple's computer systems, The Age reports. He reportedly was able to access authorized keys, view customer accounts and download 90GB of secure files before being cau...

Read More »

Reddit breach exposes non-critical user data

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method. A post by Reddit CTO Chris Slowe (as KeyserSosa, naturally) explained that they discovered the hack on June 19, and estimated it to have taken place between June 14 and 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” he wrote, gaining “read-only access to some systems that contained backup data, source code and other logs.” Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to be used instead of an authenticator app or token. SMS has some major inherent security flaws, and this method was declared unacceptable by NIST back in 2016. But it is far from eliminated, and many services still use it as a main or backup 2FA method. NIST declares the age of SMS-based 2-factor authentication over Reddit itself, it is worth noting, only provides 2FA via token. But at least one provider of theirs didn’t, it turns out, and the attackers took advantage of that. (Slowe said they know no phones were hacked, which suggests the SMS authentication codes were intercepted otherwise, possibly via spoofing a phone or scamming the provider.) Although a complete inventory of what was accessed by the hackers isn’t made available, Slowe said that there were two main areas of concern as far as users were concerned: A complete copy of Reddit data from 2007, comprising the first two years of the site’s operations. This includes usernames, salted/hashed passwords, emails, public posts and private messages. June’s email digests, with usernames and associated emails. Reddit is a different and much, much bigger place today than it was in 2007; anyone who remembers the big migration from Digg in those days will also remember how small and limited it was. Still, these data together could still be useful to malicious actors looking to scam people on this list — if I were them, I’d be sending fake email digests asking them to log in, or building a list of username-email pairs and matching those to other sites. And of course you might want to, as Slowe put it, “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.” If you’re one of the people affected, you should be receiving an email or PM that should inform you of your risk — for example, if your password hasn’t been changed since 2007, which would be its own security risk. I joined in July 2007 and haven’t received either, as a data point

Read More »

Bank says Ticketmaster knew of breach months before taking action

Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018. The company says the breach can be traced back to an AI chat bot it uses to help answer customers’ questions when a live staff member is unavailable. The software’s designer, Inbenta, confirmed that the malware had taken advantage of one piece of JavaScript  that was written specially for Ticketmaster’s use of the chat bot. However, both companies have confirmed that as of June 26th the vulnerability has been resolved. In its statement, Ticketmaster told customers that affected accounts had been contacted and were offered a free 12-month identity monitoring service as a consolation as soon as the company became aware of the breach. But, according to U.K. digital bank Monzo , Ticketmaster was informed of the breach in April. In a statement released by its Financial Crime team today, Monzo describes the events from its perspective. On April 6th, the bank began to notice a pattern of fraudulent transactions on cards that had been previously used at Ticketmaster. Out of 50 fraud reports the bank received that day, 70 percent of cards had made transactions on Ticketmaster in the last several months. “This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” said Natasha Vernier , head of Financial Crime at Monzo, in the statement. On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster-related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster. During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach. This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours

Read More »

UK watchdog issues $330k fine for Yahoo’s 2014 data breach

Another fallout from the  massive Yahoo data breach that dates back to 2014 : The UK’s data watchdog has just issued a £250,000 (~$334k) penalty for violations of the Data Protection Act 1998. Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users. Certainly given how large data protection fines can now scale under the European Union’s new privacy framework, GDPR , which also requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case … ). The Information Commissioner’s Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo UK Services Ltd had responsibility for as a data controller. And it found a catalogue of failures — specifically finding that Yahoo UK Services had: Failed to take appropriate technical and organisational measures to protect the data against exfiltration by unauthorised persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data protection standards; had failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and also that the inadequacies found had been in place for “a long period of time without being discovered or addressed”. Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.” According to the ICO personal data compromised in the breach included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers. It considered the breach to be a “serious contravention of Principle 7 of the Data Protection Act 1998” — which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data. Happily for Oath, GDPR does not apply historically because the UK’s domestic regime only allows for maximum penalties of £500k. And given Verizon was able to knock $350M off the acquisition price of Yahoo on account of a pair of massive data breaches , well, it’s not going to be too concerned with the regulatory sting here. Reputation wise is perhaps another matter. Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo

Read More »

MyHeritage breach exposes 92M emails and hashed passwords

The genetic analysis and family tree website MyHeritage was breached last year by unknown actors, who exfiltrated the emails and hashed passwords of all 92 million registered users of the site. No credit card info, nor (what would be more disturbing) genetic data appears to have been collected. The company announced the breach on its blog , explaining that an unnamed security researcher contacted them to warn them of a file he had encountered “on a private server,” tellingly entitled “myheritage.” Inside it were the millions of emails and hashed passwords. Hashing passwords is a one-way encryption process allowing sensitive data to be stored easily, and although there are theoretically ways to reverse hashing, they involve immense amounts of computing power and quite a bit of luck. So the passwords are probably safe, but MyHeritage has advised all its users to change theirs regardless, and they should. The emails are not fundamentally revealing data; billions have been exposed over the years through the likes of the Equifax and Yahoo breaches. They’re mainly damaging in connection with other data. For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding passwords were known via some other breach. That’s why it’s good to use a password manager and have unique passwords for every site. MyHeritage’s confidence that other data was not accessed appears to be for a good reason: Credit card information is not stored on MyHeritage to begin with, but only on trusted third-party billing providers (e.g. BlueSnap, PayPal) utilized by MyHeritage

Read More »