Privacy Roundup #0166 • May 2020
A pandemic month in which contact tracing technology, mass data breaches and a Senate surveillance vote all tested the limits of personal privacy.
1. Hacker sells 91 million Tokopedia accounts on the dark web
A seller offered the records of 91 million users of Indonesia's largest online marketplace for around 5,000 dollars. The leaked data included email addresses, names, dates of birth and hashed passwords, and other forums began cracking and sharing the credentials for free.
2. GoDaddy notifies customers of breached hosting accounts
GoDaddy told around 28,000 customers that an unauthorised party had gained access to the SSH credentials used to connect to their hosting accounts. The intrusion happened in October 2019 but was not discovered until April 2020, leaving the attacker undetected for roughly six months.
3. The UK launches a centralised contact tracing app on the Isle of Wight
Britain began trialling an NHS contact tracing app that stored proximity data in a central government database rather than on people's phones. Critics warned that the centralised design risked re-identifying users and that contact records could be retained for research with no right of deletion.
4. Microsoft's private GitHub repositories are stolen
A hacker calling themselves ShinyHunters claimed to have taken more than 500 gigabytes of data from Microsoft's private GitHub account. Analysis suggested the haul was mostly code samples and test projects rather than core product source code, but a Microsoft employee confirmed that the data was genuine.
5. Zoom buys Keybase to build end-to-end encryption
Zoom acquired the encryption startup Keybase in its first ever acquisition, promising to develop a genuinely private video platform. The move came after months of criticism over the service's security as pandemic demand pushed it onto hundreds of millions of screens.
6. Thunderspy flaws expose millions of Thunderbolt computers
Researcher Bjorn Ruytenberg disclosed seven vulnerabilities, dubbed Thunderspy, that let an attacker with brief physical access read a locked machine's memory in about five minutes. The flaws affect Thunderbolt-equipped computers made between 2011 and 2020 and cannot be fixed in software.
7. Senate rejects a warrant requirement for Americans' browsing data
An amendment from senators Ron Wyden and Steve Daines that would have required a warrant before the government could seize web browsing and search histories fell one vote short of the sixty needed. The vote came as the Senate moved to reauthorise surveillance powers tied to Section 215 of the Patriot Act.
8. European supercomputers are hijacked to mine cryptocurrency
Attackers used stolen SSH credentials to break into supercomputers across the UK, Germany and Switzerland, several of which were running coronavirus research. Once inside, they exploited a Linux flaw to gain root access and quietly mine the Monero cryptocurrency.
9. Mercedes-Benz source code leaks through a misconfigured Git portal
Software engineer Till Kottmann downloaded more than 580 repositories from a Daimler code portal after finding that anyone could register an account without verification. The repositories held the source code for the onboard logic units in Mercedes vans, along with passwords and API tokens.
10. EasyJet says nine million customers were hit in a data breach
The airline disclosed that a sophisticated attacker had accessed the email addresses and travel details of around nine million customers. The credit card details of 2,208 people were also taken, and the company faced questions over the months that passed before it told those affected.
11. Apple and Google release their exposure notification API
The two companies made the public version of their privacy-preserving contact tracing technology available to health agencies on iOS and Android. The decentralised design uses Bluetooth and rotating keys rather than location data, and apps that use it are barred from also requesting GPS access.
12. Home Chef confirms a breach affecting eight million customers
The meal kit company admitted that hackers had stolen records belonging to around eight million customers. The data included names, email addresses, phone numbers, encrypted passwords and the last four digits of credit card numbers, and it surfaced for sale on a dark web market.
13. Forty million Wishbone user records are leaked for free
A hacker dumped the full database of the teen polling app Wishbone, exposing roughly forty million accounts. The records contained usernames, email addresses, phone numbers, dates of birth, hashed passwords and social media access tokens.
14. Signal rolls out registration lock to stop SIM-swap hijacking
Signal added a registration lock that requires a personal PIN, on top of an SMS code, before a phone number can be registered on a new device. The feature is designed to defend against SIM-swap attacks in which a criminal takes control of a victim's number.
15. unc0ver releases a zero-day jailbreak for iOS 13.5
The unc0ver team published a jailbreak that worked on every signed version of iOS up to the then-current 13.5. It relied on a previously unknown kernel vulnerability, which Apple patched days later in iOS 13.5.1.
16. A flaw in Qatar's contact tracing app exposed a million people
Amnesty International found that Qatar's mandatory EHTERAZ app exposed the names, national identity numbers, health status and location of more than one million users. Because national IDs followed a predictable format and no authentication was required, an attacker could have harvested everyone's records.
17. Twenty-six million LiveJournal credentials surface online
A database of around twenty-six million LiveJournal accounts began circulating on hacking forums, with passwords converted from hashes into plain text. The credentials were already fuelling brute-force attacks against the Dreamwidth blogging platform.
18. EFF warns the House that the Section 215 surveillance bill needs reform
As the House prepared to vote again on reauthorising Section 215 of the Patriot Act, the Electronic Frontier Foundation argued the bill still fell short. It pressed for clear protections against using the power to collect browsing and search histories without a warrant.
19. Maths app Mathway leaks twenty-five million user records
The popular Mathway app confirmed a breach that exposed more than twenty-five million user records, which were put up for sale on the dark web. The stolen data consisted of email addresses and hashed passwords taken from the company's back-end database.
20. ACLU sues Clearview AI over its faceprint database
The ACLU and partner groups sued Clearview AI in Illinois, accusing the firm of breaking the state's biometric privacy law. The complaint alleged that Clearview had scraped more than three billion faceprints from the web without consent and sold access to them.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: