Privacy Roundup #0150 • January 2019
January 2019 opened the year with record breaches, the first big GDPR fine, and fresh proof that phones, cameras, and DNA quietly feed surveillance.
1. Abine Blur password manager leaves 2.4 million users exposed
Abine disclosed that a misconfigured storage bucket left a file with email addresses, names, password hints, and encrypted passwords open to anyone. The company said the data belonged to users who had registered before January 2016.
2. Hackers dump personal data of hundreds of German politicians
The private details of hundreds of German lawmakers and public figures, including Chancellor Angela Merkel, were posted online in advent-calendar style over several weeks. The leak exposed phone numbers, credit card details, identity documents, and private chats.
→ www.infosecurity-magazine.com
3. A reporter paid a bounty hunter 300 dollars to locate a phone
Motherboard showed how AT&T, T-Mobile, and Sprint sold customer location data that trickled down through aggregators to bounty hunters. A reporter paid one hunter 300 dollars to track a phone to within a few hundred metres using only its number.
4. Ring let staff watch customers through their own cameras
The Intercept reported that Ring gave its Ukraine research team access to a folder holding video from every Ring camera in the world. United States engineers could also pull up any customer's live feed with nothing more than an email address.
5. Unprotected database exposes 202 million Chinese job seekers
A researcher found an 854 gigabyte MongoDB instance with detailed resumes of more than 202 million people in China, all reachable without a password. The records held phone numbers, email addresses, marital status, salary expectations, and more.
6. El Chapo's encrypted network fell when his IT man flipped
Court testimony revealed that the FBI defeated the drug lord's encrypted phone system by turning his IT consultant into a cooperating witness. The consultant moved the servers and handed federal agents the keys during a routine upgrade.
7. Troy Hunt reveals the 773 million record Collection #1 breach
Security researcher Troy Hunt detailed Collection #1, an aggregated trove of 773 million unique email addresses and 21 million passwords pulled from thousands of earlier breaches. The set had been posted to a hacking forum and was built for credential stuffing.
8. Check Point finds flaws that hijacked Fortnite accounts
Check Point researchers disclosed vulnerabilities in Epic Games' login system that let attackers take over Fortnite accounts. A single click on a crafted link could hand over a player's authentication token, account, and stored payment access.
9. Oklahoma securities agency leaks three terabytes including FBI files
UpGuard found an open rsync server at the Oklahoma Department of Securities exposing around three terabytes of files. The data spanned decades and included Social Security numbers, system credentials, and records from FBI investigations.
10. Judge rules police cannot force biometric phone unlocking
A California magistrate judge denied a warrant that would have compelled people to unlock devices with a finger, face, or iris. The judge held that using a biometric feature is equivalent to giving a passcode and is protected by the Fifth Amendment.
11. France fines Google 50 million euros under the GDPR
The French regulator CNIL imposed a 50 million euro penalty on Google for a lack of transparency and invalid consent for ad personalisation. It was the first large fine handed down under the GDPR and followed complaints from privacy groups.
12. Spammers abused a weakness at GoDaddy to send threats
Krebs on Security reported that a flaw in GoDaddy's domain setup let attackers claim dormant domains owned by major companies. Criminals used the trick to send sextortion emails and bomb threats from trusted looking names.
13. Server lapse exposes 24 million mortgage and loan documents
An unprotected Elasticsearch server spilled more than 24 million banking and mortgage files tied to major United States lenders. The records held names, addresses, Social Security numbers, and bank account details going back over a decade.
14. Facebook plans to merge and encrypt its messaging apps
Reports said Facebook would unify the messaging backends of Messenger, Instagram, and WhatsApp and add end-to-end encryption across them. The plan raised questions about competition, security, and how much data would flow between the services.
15. EFF warns a surveillance wall is no better than a concrete one
The Electronic Frontier Foundation argued that border security bills should avoid biometric collection, DNA gathering, social media monitoring, drones, and licence plate readers. It warned these tools sweep up data on millions of lawful residents near the border.
16. Facebook paid teenagers to install a spying VPN app
TechCrunch revealed that Facebook paid users aged 13 to 35 up to 20 dollars a month to install a Research VPN that monitored their phone and web activity. The app was distributed outside the App Store through beta services that hid Facebook's role.
17. Apple disables Group FaceTime over an eavesdropping bug
A flaw in Group FaceTime let a caller hear and sometimes see the person they were calling before the call was answered. Apple turned off the feature while it prepared a fix for the serious privacy hole.
18. Apple bans Facebook's Research app and breaks its internal tools
After the Research app story broke, Apple revoked Facebook's enterprise certificate, citing a clear breach of its rules. The move also disabled Facebook's internal iOS apps until Apple restored access.
19. Apple revokes Google's certificate over the Screenwise app
Apple also pulled Google's enterprise certificate after learning that Google distributed a Screenwise Meter data-collection app the same way. Internal Google iOS apps stopped working until the certificate was restored hours later.
20. FamilyTreeDNA gave the FBI access to its genetic database
BuzzFeed News reported that FamilyTreeDNA quietly let the FBI search its database of nearly two million genetic profiles. It was the first time a consumer testing firm had voluntarily opened its data to law enforcement, alarming privacy advocates.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: