Privacy Roundup #0059 • June 2011
A breach-soaked month dominated by LulzSec, with banks, games firms and spy agencies all losing data to hackers.
1. Google says China-based phishing hijacked senior officials' Gmail
Google disclosed a campaign, traced to Jinan in China, that stole passwords from the personal Gmail accounts of senior American officials, activists and journalists. The company said its own systems were not breached and that it had warned the victims.
2. LulzSec exposes a million Sony Pictures accounts held in plaintext
LulzSec broke into SonyPictures.com through a simple SQL injection and claimed the site stored more than a million customer passwords without any encryption. The group published a sample of email addresses and passwords to prove the point.
3. LulzSec hacks FBI affiliate InfraGard Atlanta
LulzSec broke into the Atlanta chapter of InfraGard, an FBI partnership with private business, and dumped its user database online. The group framed the raid as a reply to reports that the Pentagon might treat some cyber attacks as acts of war.
4. LulzSec breaches Nintendo but takes nothing
LulzSec found a hole in a Nintendo server and announced the intrusion, while insisting it meant the company no harm. Nintendo confirmed the breach but said no customer data had been taken.
5. Facebook switches on face recognition by default
Facebook quietly rolled out its "tag suggestions" face recognition feature to users outside the United States, with the option turned on by default. Privacy researchers criticised the move for making people opt out of a system that had learned what they looked like.
6. RSA to replace SecurID tokens after Lockheed attack
RSA admitted that data stolen in its March breach had been used in an attempted attack on Lockheed Martin and offered to replace SecurID tokens for affected corporate customers. The pledge could have touched tens of millions of users.
7. LulzSec warns the NHS of a security hole
LulzSec emailed administrators at the British National Health Service to report a vulnerability and admit it held several admin passwords. The group said it meant no harm and only wanted to help fix the problem.
8. Sophisticated cyber attack hits the IMF
The International Monetary Fund told its board that hackers had run a sophisticated attack aimed at planting an insider presence on its network. Officials called it a major breach, and the FBI joined the investigation.
9. Turkey arrests 32 Anonymous suspects as the group strikes Spain
Turkish police detained 32 people across a dozen cities over denial of service attacks on government websites. Anonymous hit back at related arrests by knocking Spain's national police website offline.
10. EPIC asks the FTC to halt Facebook face recognition
EPIC and three other groups filed a complaint with the Federal Trade Commission over Facebook's covert deployment of face recognition. They argued the company gathered photo data without consent and asked regulators to suspend the feature.
11. LulzSec claims credit for taking down the CIA website
LulzSec said it had flooded the public CIA.gov site offline with a simple packet flood and tweeted "Tango down". The agency investigated, though some observers wondered whether the crush of curious visitors had done the damage.
12. Citigroup says 360,000 card customers hit by hackers
Citigroup revised the scale of its breach upwards, saying hackers had reached the account data of more than 360,000 American credit card customers. Names, account numbers and contact details were taken, though security codes and social security numbers were not.
→ phys.org
13. LulzSec dumps 62,000 email and password pairs
LulzSec posted more than 62,000 email and password combinations to the web and Twitter, inviting followers to try them out. Accounts on Facebook, Amazon, Gmail, Yahoo and World of Warcraft appeared to be compromised as a result.
→ www.infosecurity-magazine.com
14. Mt. Gox bitcoin price collapses after account compromise
A compromised account at the Mt. Gox exchange was used to flood the market with a huge sell order, briefly driving the bitcoin price towards zero. The exchange went offline to roll back trades, and details of more than 60,000 users were stolen.
15. Sega loses 1.29 million customer records
Hackers breached the Sega Pass website run by Sega Europe and made off with about 1.29 million customer records. The haul included names, dates of birth, email addresses and encrypted passwords, though no card details.
→ phys.org
16. Dropbox bug let anyone log in with any password
A code update at Dropbox introduced a bug that let users sign into any account with any password for about four hours. The company logged everyone out, fixed the flaw and began checking whether accounts had been improperly accessed.
17. LulzSec knocks the UK's Serious Organised Crime Agency offline
LulzSec announced "Tango down" against soca.gov.uk and briefly disrupted the agency's public website. The group suggested the denial of service attack might have served as cover for deeper intrusion.
18. LulzSec dumps hundreds of Arizona police files
LulzSec released roughly 700 internal Arizona law enforcement documents, along with the personal details of several officers. The group said it had targeted the state in protest at its SB1070 immigration law.
19. LulzSec disbands after fifty days of hacks
LulzSec announced it was ending its campaign after fifty days, releasing a final cache of stolen data as it went. The group said the plan had always been to run for a fixed spell rather than to flee from law enforcement.
20. Groupon India leaks 300,000 plaintext passwords
The user database of Groupon's Indian subsidiary Sosasta was left exposed and indexed by Google, revealing email addresses and clear-text passwords for about 300,000 people. A security researcher found it through a simple search, and the company pulled it offline and warned users to change their passwords.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: