Privacy Roundup #0151 • February 2019
A month of mass dark web breach dumps, secret app tracking and regulators turning the screws on Facebook.
1. Apple ships a fix for the Group FaceTime eavesdropping bug
Apple rolled out iOS 12.1.4 to close a flaw that let a caller hear and sometimes see a recipient before they answered. The company also said it would compensate the teenager who first reported the problem.
2. Carriers sold customer location data that reached hundreds of bounty hunters
A Motherboard investigation found that a defunct data broker had passed real time location data from AT&T, T-Mobile and Sprint to roughly 250 bounty hunters and other parties. One bail bond firm used the service more than 18,000 times over five years.
3. FamilyTreeDNA admits it gave the FBI access to its DNA database
FamilyTreeDNA confirmed it had let the FBI upload crime scene DNA and search its database of nearly two million genetic profiles. It was the first time a consumer testing firm had voluntarily opened its records to police in this way.
4. Popular iPhone apps were caught secretly recording users' screens
TechCrunch found that apps from Air Canada, Expedia, Hollister and others used Glassbox session replay code to record every tap and keystroke. Some apps failed to mask the footage, exposing passport and payment card numbers.
5. German regulator bars Facebook from combining user data without consent
The Bundeskartellamt ruled that Facebook had abused its dominance by pooling data from its own services and third party sites. It ordered the company to stop merging that data unless users freely agreed.
→ www.dataprotectionreport.com
6. 620 million stolen accounts from 16 sites went on sale on the dark web
A seller put databases from Dubsmash, MyFitnessPal, MyHeritage, 500px and a dozen other sites up for less than 20,000 dollars in Bitcoin. The records held names, email addresses and hashed passwords.
7. The same hacker returned with 127 million more records from eight sites
Days after the first dump, the seller listed fresh data from Houzz, YouNow, Roll20, Coinmama and others. The new haul of 127 million records was offered for around 14,500 dollars in Bitcoin.
8. A third round added ClassPass, Gfycat and StreetEasy to the sale
The prolific hacker disclosed eight more breaches covering about 91 million accounts. The running total across the campaign reached roughly 841 million records from 30 companies.
9. Coffee Meets Bagel told users of a breach on Valentine's Day
The dating app disclosed that an unauthorised party had accessed names and email addresses added before May 2018. The notice landed as the same data surfaced in the wider dark web sale.
10. Hackers wiped out email provider VFEmail's servers and backups
Attackers destroyed almost two decades of data by formatting every US server, including backups, in a matter of hours. No ransom note arrived, and the owner said the service was effectively gone.
11. Nest warned owners after cameras were hijacked through reused passwords
Google said a string of frightening Nest camera takeovers stemmed from credential stuffing rather than a breach of its systems. It urged owners to use unique passwords and switch on two step verification.
12. UK lawmakers branded Facebook a 'digital gangster'
The Commons DCMS committee published an 18 month inquiry into disinformation that accused Facebook of acting as if it were beyond the law. It called for compulsory regulation and an antitrust investigation.
13. Period and health apps were sending intimate data to Facebook
A Wall Street Journal investigation found that the period tracker Flo and ten other apps shared sensitive data with Facebook without clear consent. Facebook received details such as where a user was in her menstrual cycle, tied to an advertising identifier.
14. The Intercept revealed how Ring courted police forces
Reporting showed Ring building a portal to speed up police access to customer doorbell footage as its surveillance chief declared war on criminals. The pieces deepened concerns about a private camera network feeding law enforcement.
15. Researchers found 763 million records exposed by verifications.io
Bob Diachenko discovered an unprotected MongoDB database from the email validation service holding email addresses, names, phone numbers and dates of birth. It ranked among the largest single source leaks ever recorded.
16. Australia's parliament network was breached by a state actor
Officials said a sophisticated state actor had compromised the parliamentary network and the systems of the main political parties. The Prime Minister did not name the country but said there was no sign of electoral interference.
17. EU negotiators agreed the final text of the copyright directive with upload filters
Trilogue talks closed a deal on the Copyright Directive that left Article 13's automated copyright filters and Article 11's link tax intact. Digital rights groups warned that the rules would force platforms to police and arbitrarily censor what Europeans post.
18. OkCupid users were locked out as hackers hijacked their accounts
Daters reported that intruders had changed their passwords and email addresses, in some cases using private details to send harassing messages. OkCupid denied any breach and blamed credential stuffing with passwords reused from elsewhere.
19. 500px reset 14.8 million passwords after disclosing a breach
The photo sharing site revealed that an intruder had taken profile data for every one of its users in an attack dating back to July 2018. Exposed details included names, usernames, email addresses, dates of birth and hashed passwords.
20. Google admitted Nest Guard had an undisclosed microphone
Google conceded that the Nest Secure hub had shipped with a built in microphone that was never listed in its specifications. The company called the omission an error after the part surfaced through a new Google Assistant feature.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: