Privacy Roundup #0072 • July 2012
July 2012 was defined by a wave of plaintext password leaks, fresh evidence of mass cellphone and Skype surveillance, and a string of regulators and courts wrestling with location tracking and facial recognition.
1. Yahoo Voices breach spills 450,000 plaintext passwords
A group calling itself D33DS Company used an SQL injection attack to lift around 450,000 login records from Yahoo Voices, the service formerly known as Associated Content. The passwords were stored in plain text, so attackers could read them straight away and try them against other email providers.
→ bgr.com
2. Formspring resets 28 million passwords after server raid
The question-and-answer site Formspring forced a password reset for all 28 million of its users after about 420,000 password hashes turned up online. An attacker had broken into a development server and used that foothold to pull account information from a production database.
3. Nvidia suspends developer forums after password theft
Nvidia took its Developer Zone and user forums offline after intruders accessed credentials belonging to roughly 400,000 members. The exposed data included usernames, email addresses and salted password hashes, and the company reset every account password before bringing the sites back.
4. Android Forums breach exposes more than a million accounts
Android Forums, run by Phandroid, told its members to change their passwords after a hacker accessed the database behind the site. The stolen records covered more than a million users and included usernames, email addresses, salted password hashes and registration IP addresses.
5. Hacker dumps 8 million Gamigo passwords months after breach
An attacker published a 500MB file containing more than 8 million login records stolen from the German gaming company Gamigo, several months after the original intrusion. The passwords were stored as unsalted MD5 hashes, a method security researchers had considered broken for years.
6. Dropbox confirms breach that led to user spam
Dropbox said an employee account had been compromised using a password reused from another breached site, exposing a document full of customer email addresses. Users had complained for weeks about spam arriving at addresses they used only with Dropbox, which prompted the investigation.
7. Google to pay record $22.5 million over Safari tracking
Reports emerged of a tentative settlement in which Google would pay the Federal Trade Commission $22.5 million for bypassing privacy settings in Apple's Safari browser. The case centred on tracking cookies placed on users who had been told they were opted out, in breach of an earlier FTC order.
8. Carriers field 1.3 million law enforcement data demands
Representative Edward Markey released figures from nine wireless carriers showing that police had made about 1.3 million requests for subscriber data in a single year. The demands covered call records, text messages and cell tower location data, much of it obtained without a warrant.
9. Government admits surveillance breached the Fourth Amendment
The Office of the Director of National Intelligence acknowledged that the secret FISA court had once found government collection unreasonable under the Fourth Amendment. The disclosure, prised loose by Senator Ron Wyden, arrived as Congress weighed reauthorising the FISA Amendments Act.
10. NSA whistleblower says agency is profiling every citizen
At the HOPE Number Nine conference, former NSA official William Binney told attendees the agency was assembling data on virtually every person in the country. He estimated that around 1.6 billion records had been processed since 2001 and warned that domestic communications were being swept up without oversight.
11. Senate hearing presses FBI and Facebook on facial recognition
A Senate Judiciary subcommittee chaired by Al Franken examined how law enforcement and companies were deploying facial recognition. Franken pressed the FBI over its growing photo database and criticised Facebook for switching on tag suggestions without asking users to opt in.
→ phys.org
12. New York court again orders Twitter to hand over tweets
A New York criminal court rejected Twitter's attempt to quash a subpoena for the account records of Occupy Wall Street protester Malcolm Harris. The judge ruled that the tweets and location data were not protected by the Fourth Amendment, a decision the EFF called out of step with digital privacy.
13. Skype faces questions over routing calls for police
Microsoft drew scrutiny after reports that it had moved Skype's supernodes onto its own servers, a change critics said could make calls easier to monitor. Skype insisted the work was about reliability and that voice traffic still did not pass through the supernodes.
14. Twitter suspends journalist over NBC executive's email
Twitter suspended British journalist Guy Adams after he tweeted the corporate email address of an NBC Sports executive amid criticism of the network's Olympic coverage. The company reinstated the account once NBC withdrew its complaint, but the episode raised concerns about a partner steering moderation.
15. Franken amendment seeks to strip surveillance powers from cybersecurity bill
As the Senate debated the Cybersecurity Act of 2012, Senator Al Franken offered an amendment to remove the section letting companies monitor private communications and deploy countermeasures. The EFF backed the fix while continuing to oppose the wider bill over its surveillance provisions.
16. Report finds many iPhone apps still grab address books
A BitDefender study found that nearly one in five popular iOS apps could read a user's entire address book, often without clear notice. The findings underlined how much data apps were collecting ahead of the privacy controls Apple had promised for iOS 6.
17. Apple pulls the Clueful privacy app from its store
Apple removed BitDefender's Clueful app, which had told users what other applications were doing with their data, from the iOS App Store. The tool had reported that large shares of apps tracked location and read address books, and BitDefender said it could not discuss the reasons under a non-disclosure agreement.
18. ACLU launches nationwide push on licence plate readers
The ACLU sent public records requests to almost 600 police forces and federal agencies seeking details of how automatic licence plate readers were used. The coordinated effort across 38 states aimed to expose how long agencies kept records on ordinary drivers and with whom they shared them.
19. ICO fines lender over half a million lost customer records
The Information Commissioner's Office fined Welcome Financial Services £150,000 after two unencrypted backup tapes holding the records of more than 500,000 customers went missing. The tapes contained names, addresses, dates of birth and loan details, and were never recovered.
→ www.mortgagefinancegazette.com
20. Lawmakers demand answers from nine major data brokers
A bipartisan group of legislators led by the Congressional Privacy Caucus sent letters to nine large data brokers, including Acxiom, Experian and Equifax. They asked how the firms collected, refined and sold detailed profiles of consumers, and what control individuals had over the information.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: