Privacy Roundup #0119 • June 2016
June 2016 was the month the credential reuse wave broke, as old mega breaches at LinkedIn, MySpace and VK fed account takeovers across the web while state hacking and corporate data deals raised the privacy stakes.
1. Time Inc. confirms the MySpace breach of 360 million accounts
Time Inc. confirmed that login data stolen from the old MySpace platform was circulating on a hacker forum, with reports putting the count at around 360 million accounts. The exposed records included usernames, email addresses and passwords from before the 2013 relaunch.
2. TeamViewer users report their accounts hijacked
Users of the remote access tool TeamViewer reported that attackers had taken control of their machines and drained PayPal and Amazon accounts. The company blamed careless password reuse rather than a breach of its own systems, even as a denial of service attack hit its servers.
3. Dropbox wrongly blamed in a week of mega breaches
Identity theft firms warned customers that Dropbox credentials had leaked, but Dropbox had not been breached at all. The data had in fact come from the 2013 Tumblr breach, and the false alarm showed how loosely threat intelligence claims were being passed along.
4. Cici's Pizza hit by point of sale card breach
Banks traced a pattern of card fraud back to Cici's Pizza locations, where attackers had posed as technical support staff to install card stealing malware. The intruders used remote tools to plant the software on payment terminals across many restaurants.
5. Mark Zuckerberg's social media accounts hacked
A group calling itself OurMine briefly took over the Twitter, Pinterest and LinkedIn accounts of Facebook founder Mark Zuckerberg. The hackers said they had found his password in the LinkedIn data dump, where it was reportedly the weak string "dadada".
6. 100 million VK accounts put up for sale
A seller using the alias Tessa88 offered roughly 100 million accounts from the Russian social network VK on a dark web market. The records held names, email addresses, phone numbers and passwords that the site had stored in plain text.
7. Passwords for 32 million Twitter accounts surface online
A trove of nearly 33 million Twitter login credentials appeared for sale, supplied by the same person who had distributed the VK data. Twitter said its systems had not been breached and suggested the credentials had been harvested by browser malware.
8. Wendy's says its card breach is far larger than first thought
Wendy's disclosed that a new variant of point of sale malware had been found in restaurants previously believed clean. The company warned that the number of affected locations would be considerably higher than the 300 first reported.
9. Microsoft agrees to buy LinkedIn for $26.2 billion
Microsoft announced an all cash deal to acquire LinkedIn, putting the professional network's vast store of personal data under new ownership. The plan to apply machine learning to that data drew immediate questions about how member information would be used.
10. Apple unveils differential privacy at WWDC
At its developer conference Apple introduced differential privacy, a statistical technique meant to gather usage data while masking the contribution of any one person. The company framed it as a way to improve features such as QuickType without building profiles of individual users.
11. CrowdStrike reveals Russian intelligence hacked the DNC
CrowdStrike disclosed that two Russian state linked groups had breached the Democratic National Committee and accessed its files, including opposition research on Donald Trump. The firm attributed the intrusions to adversaries it named Cozy Bear and Fancy Bear.
12. GitHub resets passwords after a reuse attack
GitHub said attackers had logged into a number of accounts using credentials leaked from other breached services. The company reset the affected passwords and urged users to turn on two factor authentication, stressing that its own systems were not compromised.
13. Acer admits hackers stole up to 34,500 customers' card details
Acer disclosed that its online store had leaked the names, addresses and full payment card details of as many as 34,500 shoppers. An employee had left debugging mode enabled for nearly a year, writing transaction data into an unencrypted log file.
14. GoToMyPC forces a reset of all passwords
Citrix reset the passwords of every GoToMyPC user after a wave of credential stuffing against the remote access service. The attackers had reused usernames and passwords leaked from other sites such as LinkedIn and MySpace.
15. Carbonite resets 1.5 million passwords after reuse attack
The online backup firm Carbonite forced a password reset for all of its 1.5 million users following a credential stuffing campaign. The company said attackers had used stolen logins from other breaches and that some personal information may have been exposed.
16. Investigatory Powers Bill reaches the House of Lords
The United Kingdom's Investigatory Powers Bill, widely called the snoopers' charter, received its second reading in the House of Lords. The bill set out sweeping surveillance powers, including bulk data collection and the retention of internet connection records.
17. Google's Project Zero finds critical flaws in Symantec and Norton
Researcher Tavis Ormandy reported wormable remote code execution flaws across Symantec and Norton security products, calling them as bad as it gets. The bugs needed no user interaction and ran at the highest privilege levels, in some cases inside the kernel.
18. Noodles & Company confirms a payment card breach
Noodles & Company confirmed that malware had infected its payment processing system and exposed customer card data over several months. The intrusion affected more than 400 locations across 28 states.
19. Hard Rock Las Vegas reports a seven month card breach
The Hard Rock Hotel and Casino in Las Vegas disclosed that card scraping malware had been lifting payment data from its restaurant and retail outlets. The compromise ran from late October 2015 into March 2016 and marked the venue's second breach in two years.
20. HummingBad malware found controlling 10 million Android devices
Check Point detailed HummingBad, Android malware that planted a persistent rootkit on around 10 million devices to drive fraudulent advertising revenue. Researchers traced the campaign to a Chinese firm, Yingmob, which held some control over tens of millions of phones in total.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: