Privacy Roundup #0118 • May 2016
May 2016 was the month of the historical mega breach, as hundreds of millions of old LinkedIn, MySpace, Tumblr and Fling credentials surfaced for sale, while Europe locked in the GDPR and lawmakers fought over encryption.
1. LinkedIn confirms 117 million accounts from its 2012 breach are for sale
A hacker using the name Peace offered 117 million LinkedIn email addresses and passwords on a dark web market, far more than the 6.5 million the company had admitted in 2012. LinkedIn began invalidating affected passwords and urged members to turn on two-factor authentication.
2. MySpace breach exposes around 360 million old accounts
Data on roughly 360 million MySpace accounts, created before June 2013, went up for sale on the dark web, with usernames, email addresses and weakly hashed passwords. The company invalidated passwords for affected accounts after the cache surfaced.
3. Tumblr discloses a 2013 breach affecting 65 million users
Tumblr warned that a third party had obtained more than 65 million user email addresses and salted, hashed passwords from early 2013, before the Yahoo acquisition. The stolen records appeared for sale on a dark web marketplace at the end of the month.
4. Fling.com data on 40 million users put up for sale
The personal records of more than 40 million users of the adult dating site Fling.com were offered on a dark web market, including clear-text passwords, dates of birth and sexual preferences. Fling confirmed the incident but blamed a hack that dated back to 2011.
→ www.globaldatinginsights.com
5. 10 key facts businesses need to note about the GDPR
With the General Data Protection Regulation published in the Official Journal and entering into force on 24 May 2016, Computer Weekly set out the obligations that organisations would face. The report stressed that firms had until 25 May 2018 to comply with rules covering consent, breach notification and fines of up to four percent of global turnover.
6. European Parliament says the Privacy Shield needs more work
Members of the European Parliament adopted a resolution calling on the Commission to keep negotiating improvements to the proposed EU-US Privacy Shield. They flagged worries about bulk data collection and the independence of the planned US ombudsperson.
7. Jury finds Google's use of Java APIs is fair use
A federal jury in San Francisco found unanimously that Google's use of 37 Java package names and around 11,000 lines of declaring code in Android was lawful fair use. The verdict was a major win for interoperability after Oracle had sought up to 9 billion dollars in damages.
8. Twitter cuts off US intelligence agencies from Dataminr
Twitter stopped the analytics firm Dataminr from feeding real-time alerts about world events to US intelligence agencies. The company said it had never authorised any third party to sell its data to a government for surveillance purposes.
9. Kiddicare admits a breach of nearly 800,000 customers
The British baby goods retailer Kiddicare told customers that names, addresses, phone numbers and email addresses of about 795,000 people had been stolen. The data had been exposed on a test website that used real customer records.
10. Researchers publish data on 70,000 OkCupid users without consent
Two Danish researchers scraped and released a dataset of nearly 70,000 OkCupid profiles, including usernames, ages, locations and answers to intimate questions. Critics called it a serious ethics failure, and the host took the data down after an uproar.
11. Google's new Allo messenger will not encrypt by default
Google announced its Allo messaging app with end-to-end encryption available only in an optional incognito mode rather than as the default. Privacy advocates and Edward Snowden criticised the choice, which kept messages readable so the Google Assistant could work.
12. A second bank is hit in the SWIFT fraud campaign
Vietnam's Tien Phong Bank revealed that it had blocked an attempt to steal more than one million euros using fraudulent SWIFT messages. The technique matched the one used in the earlier theft of 81 million dollars from the Bangladesh central bank.
13. The Burr-Feinstein anti-encryption proposal is declared dead
Reuters reported that the Burr-Feinstein draft, which would have forced companies to undermine their own encryption, would not be introduced this year and stood no chance of advancing. Civil liberties groups welcomed the collapse of the measure.
14. New studies show surveillance chills speech and association
The EFF highlighted research, including a study of Wikipedia traffic, showing that people avoided reading or writing about sensitive topics once they learned they might be watched. Wikipedia views of terrorism-related articles dropped about 30 percent after the 2013 Snowden disclosures.
15. Senate demands answers from Facebook over Trending Topics
Senator John Thune asked Facebook to explain reports that contractors had suppressed conservative stories in its Trending Topics section. The inquiry pressed the company on who approved trending items and how it kept records of those editorial decisions.
16. FBI wants to remove privacy protections from its massive biometrics database
The EFF and more than forty other groups objected to an FBI proposal to exempt its Next Generation Identification system from key Privacy Act safeguards. The change would have stripped Americans of the right to learn whether their fingerprints, faces and iris scans were held in the database or to correct inaccurate records.
17. Tavis Ormandy finds a wormable flaw in Symantec antivirus
Google researcher Tavis Ormandy disclosed a remotely exploitable bug in the core engine of Symantec and Norton antivirus products. Because the software parsed files automatically, simply emailing a malicious file could corrupt kernel memory without any user interaction.
18. Microsoft starts banning common passwords from breach lists
Microsoft said it would dynamically block weak and commonly used passwords across its Account service and Azure Active Directory. The system drew on credentials leaked in breaches and on attacks seen against Microsoft's own login systems.
19. Wendy's confirms point-of-sale malware at hundreds of restaurants
In its quarterly results, Wendy's disclosed that malware had infected payment systems at fewer than 300 of its restaurants through compromised vendor credentials. The breach, later found to be far larger, exposed cardholder names, numbers, expiry dates and verification codes.
20. ImageTragick flaw lets attackers run code through image uploads
A set of vulnerabilities in the widely used ImageMagick library, nicknamed ImageTragick, was disclosed publicly. The worst flaw allowed remote command execution on any web service that processed user-supplied images, putting countless sites at risk.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: