Privacy Roundup #0161 • December 2019
December 2019 closed the decade with a flood of exposed databases, hacked home cameras and fresh fights over face recognition and encryption.
1. TrueDialog left tens of millions of text messages exposed online
Researchers found an unprotected database run by the business SMS provider TrueDialog sitting on the open internet without a password. The trove held message contents, two-factor codes and account credentials that could have been used to hijack other services.
2. Mozilla pulled Avast and AVG browser extensions over data harvesting
Mozilla removed four Avast and AVG extensions from its add-ons store after a researcher showed they gathered far more browsing data than they needed. The tools logged visited pages, clicks and tab activity and sent it back to Avast servers.
3. DHS proposed mandatory airport face scans for US citizens
The Department of Homeland Security filed a plan to require facial recognition checks for American citizens entering and leaving the country, ending a long-standing exemption. The proposal drew immediate anger from lawmakers and privacy groups, and the department withdrew it within days.
4. The iPhone 11 Pro kept asking for location even when told not to
Brian Krebs reported that a new iPhone 11 Pro still sought the user's location at times despite location services being switched off for every app and system service. Apple at first said there was no problem, then explained that the new ultra-wideband chip needed location checks to satisfy regional rules.
5. The Senate Judiciary Committee threatened to legislate against encryption
At a hearing on lawful access, senators warned Apple and Facebook that they would impose a solution if the companies did not weaken their encryption for law enforcement. Both firms told the committee that any back door would create serious security and privacy risks for ordinary users.
6. Maze ransomware hit Pensacola and threatened to publish stolen files
The Maze gang encrypted systems belonging to the city of Pensacola and demanded a one million dollar ransom. Unlike older crews, Maze also exfiltrated data and threatened to leak it, an early example of the double extortion tactic that would soon spread.
7. A stranger hacked a family's Ring camera and harassed a child
An intruder broke into a Mississippi family's Ring camera and spoke to their eight-year-old daughter through the device for several minutes. Ring blamed reused login credentials rather than a flaw in its systems, but the case fuelled wider alarm about its security.
8. LightInTheBox exposed 1.3TB of shopper records
The Chinese retailer LightInTheBox left an unsecured database holding around 1.5 billion server log entries open to anyone. The records included customer email addresses, IP addresses and the pages each visitor browsed across several months.
9. LifeLabs disclosed a breach affecting 15 million Canadians
The medical testing firm LifeLabs revealed that an attacker had accessed systems holding names, addresses, login details, dates of birth and health card numbers. The company said it had paid the criminals to retrieve the stolen data in what regulators later called the largest health breach in Canadian history.
10. Honda exposed 26,000 North American vehicle owner records
A misconfigured Honda database left customer names, email addresses, postal addresses and vehicle details accessible without any password. A researcher found the records online and Honda secured the server within hours of being told.
11. A database exposed 267 million Facebook users' names and phone numbers
Researchers found an unprotected database listing the IDs, phone numbers and names of more than 267 million Facebook users, most of them in the United States. The data, likely gathered by scraping or API abuse, was also posted to a hacker forum for download.
12. The New York Times showed how easily location data identifies people
In its One Nation, Tracked investigation, the paper analysed a file of more than fifty billion location pings from over twelve million phones. Although the data was billed as anonymous, reporters used it to follow named individuals, including military and law enforcement officials.
13. Ring urged password changes after thousands of accounts were exposed
Consumer Reports found that around three thousand Ring account credentials had surfaced online, leaving cameras open to strangers. Ring blamed credential stuffing with passwords stolen elsewhere and pressed users to enable two-factor authentication.
14. Wawa disclosed a card-stealing breach across all its stores
The convenience chain Wawa said malware had collected payment card numbers, expiry dates and cardholder names at potentially every one of its locations for roughly nine months. The company found the malware in mid-December after it had run undetected since the spring.
15. A US government study found most face recognition systems are biased
The National Institute of Standards and Technology tested nearly two hundred algorithms and found many were far more likely to misidentify Black, Asian and Native American faces. Women and the very young and old also faced higher error rates, raising the risk of false accusations.
16. Twitter fixed an Android flaw that could let attackers seize accounts
Twitter patched a vulnerability in its Android app that could have let a malicious app take over a user's account and read private information. Attackers could have sent tweets and direct messages and viewed account details that were meant to stay hidden.
17. The ToTok chat app was revealed as a UAE surveillance tool
A New York Times investigation found that the popular messaging app ToTok was used by Emirati intelligence to track the calls, movements and contacts of the people who installed it. Apple and Google pulled the app from their stores after the report.
18. ICE used social media and data brokers to hunt down an immigrant
The Intercept obtained emails showing how Immigration and Customs Enforcement tracked a man through his Facebook posts and a commercial data broker database. Officers arrested him after he checked in to a Home Depot on the platform, illustrating how agencies sidestep legal limits by buying data.
19. Russia said it had successfully tested disconnecting from the global internet
Moscow announced that it had completed exercises rerouting traffic inside its borders to see whether the country could run independently of the worldwide network. Officials said the tests showed Russia was ready to isolate its internet, a move critics tied to tighter state surveillance and control.
20. Wyze exposed the data of 2.4 million camera owners
The smart home maker Wyze confirmed that an unsecured database had leaked customer email addresses, camera nicknames, Wi-Fi network names and some health metrics. The records sat open for roughly three weeks after an employee removed security controls in early December.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: