Privacy Roundup #0058 • May 2011
Sony's breach nightmare spread across the globe while regulators, researchers and hacktivists laid bare how little our personal data was protected.
1. Sony Online Entertainment discovers 24.6 million more accounts compromised
Sony revealed that a second intrusion had exposed personal records for some 24.6 million Sony Online Entertainment customers. An outdated database also gave up roughly 12,700 non-US payment card numbers and 10,700 European direct debit records.
2. LastPass forces a master password reset after a possible breach
The password manager LastPass spotted an unexplained network traffic anomaly and feared an intruder had siphoned email addresses, salts and hashed passwords. The company asked all of its users to change their master passwords as a precaution.
3. Senate panel grills Apple and Google over mobile location tracking
A Senate Judiciary subcommittee chaired by Al Franken questioned Apple and Google executives over how their phones gathered and stored location data. The hearing followed the discovery that iOS devices kept a long, unencrypted log of where their owners had been.
4. Symantec finds Facebook apps leaking access tokens
Symantec reported that a coding flaw caused many Facebook applications to hand third parties access tokens that worked like spare keys to user profiles. The firm estimated that hundreds of thousands of apps could have leaked millions of tokens to advertisers and analytics providers over the years.
→ phys.org
5. Researcher files FTC complaint accusing Dropbox of misleading users
Security researcher Christopher Soghoian asked the FTC to investigate Dropbox over claims that files were encrypted so that even staff could not read them. The complaint argued that Dropbox held the encryption keys itself and could therefore access customers' supposedly private folders.
6. Phishing site found running on Sony's Thai server
Researchers discovered that a Sony domain in Thailand had been hijacked to host a phishing page aimed at an Italian credit card company. The find added to a long run of embarrassing security lapses across Sony's web estate that month.
7. Sony Ericsson online store and Sony Music Japan hacked
A Lebanese hacker using the handle Idahc lifted names, email addresses and password hashes for about 2,000 customers of Sony Ericsson's Canadian eshop through a simple SQL injection. LulzSec hit Sony Music Japan with a separate injection attack the very same day.
8. Greek Sony Music site hacked and user data exposed
The SonyMusic.gr website was breached through an automated SQL injection tool, exposing usernames, real names and email addresses for thousands of registered users. The attackers passed the dumped database to reporters rather than keeping it quiet.
9. More Sony breaches hit Music Japan and Indonesia
A fresh wave of attacks defaced Sony Music Indonesia and dumped data from Sony Music Japan, both reached through trivial injection flaws. The pile-on showed how poorly hardened Sony's many regional sites had been left.
10. Facebook admits hiring a PR firm to smear Google over privacy
Facebook confirmed that it had paid the public relations firm Burson-Marsteller to plant negative stories accusing Google of harvesting data through a Gmail feature called Social Circle. The scheme unravelled after a blogger published the firm's pitch and journalists traced the unnamed client back to Facebook.
11. Google unveils Google Wallet for tap-to-pay
Google launched Google Wallet and Google Offers, an NFC platform that turned a phone into a payment card. The company promised it would not sell customers' data, though early reviewers flagged how much information the app stored.
12. Honda Canada breach exposes 283,000 customers
Intruders pulled names, addresses and vehicle identification numbers for more than 283,000 customers from Honda Canada's myHonda and myAcura sites. Some records also included financing account numbers, and the company faced a lawsuit over the loss.
13. Lockheed Martin suspends remote access after a network intrusion
Defence contractor Lockheed Martin cut off remote access to email and corporate systems after detecting an intrusion linked to the earlier RSA SecurID breach. The firm reissued tokens to roughly 100,000 staff while it locked down its network.
14. Hotmail flaw silently forwarded victims' email
Trend Micro reported a cross-site scripting hole in Hotmail that let attackers quietly forward a victim's messages to themselves. The exploit fired simply when a user read or previewed a booby-trapped message disguised as a Facebook notice.
15. Hackers post a fake Tupac story on the PBS website
A group calling itself LulzSec broke into the PBS website and published a hoax article claiming the rapper Tupac Shakur was alive in New Zealand. The intruders also leaked station login details, angered by a Frontline documentary about WikiLeaks.
16. LulzSec rips a million records from Sony Pictures
LulzSec began siphoning Sony Pictures data on 30 May through a basic SQL injection and dumped it days later. The haul exposed more than a million accounts, with passwords stored in plain text and no encryption at all.
17. FTC testifies on protecting privacy on mobile devices
The Federal Trade Commission told Congress that smartphone apps raised fresh privacy worries, particularly around location tracking of young users. Staff argued that a Do Not Track mechanism should extend from web browsers to mobile applications.
18. Square Enix confirms Eidos website hack
Square Enix admitted that intruders had breached its Eidos Montreal site and two product pages, making off with about 25,000 registration email addresses. Up to 350 job applicants' resumes were also exposed in the raid.
19. FTC settles data security charges against Ceridian and Lookout Services
The Federal Trade Commission announced settlements with payroll processor Ceridian and immigration software firm Lookout Services over claims they had failed to protect employee records. Breaches at the two companies had exposed the Social Security numbers of tens of thousands of workers stored in plain readable text.
20. Congress demands answers over the Sony PlayStation breach
Members of Congress pressed Sony for details about the loss of personal data affecting 77 million PlayStation Network accounts. Lawmakers wanted to know when Sony had discovered the intrusion and why it had waited a week to warn its users.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: