Privacy Roundup #0174 • January 2021
January 2021 was dominated by the WhatsApp policy revolt, a wave of fresh data breaches, and the SolarWinds intruders spreading deeper into security firms.
1. WhatsApp delays its privacy policy update after backlash
WhatsApp postponed a planned policy change after users misread it as fresh data sharing with Facebook. The company pushed the deadline from February to May and promised to explain the terms more clearly.
2. Signal and Telegram see a surge of new users
The WhatsApp confusion sent millions of people to rival messengers in search of stronger privacy. Signal and Telegram both reported enormous download spikes, with Signal climbing from under a million installs a year earlier to tens of millions.
3. Scraped Parler data is a metadata gold mine
An archivist scraped millions of posts, videos and images from Parler before the platform went offline. Because the site failed to strip metadata, the trove preserved precise location data tied to the accounts that posted it.
4. EFF warns against face surveillance after the Capitol attack
The Electronic Frontier Foundation argued that using facial recognition to identify Capitol rioters would normalise a dangerous tool. It noted that most of the population is already exposed to image surveillance through driving licence databases.
5. FTC orders Everalbum to delete facial recognition algorithms
In its first facial recognition enforcement action, the FTC settled with photo app maker Everalbum over deceptive use of the technology. The company was ordered to delete not only the wrongly collected face data but also the algorithms trained on it.
6. Norway moves to fine Grindr over consent failures
The Norwegian Data Protection Authority announced its intention to fine Grindr around ten million euros. It found the app shared user data, including location and the fact of being a Grindr user, with advertisers without valid consent.
7. Mimecast breach linked to the SolarWinds attackers
Email security firm Mimecast confirmed that the compromise of one of its certificates was the work of the SolarWinds intruders. The same group had used a backdoored update to burrow into government and corporate networks.
8. Malwarebytes says SolarWinds hackers read its internal emails
Malwarebytes disclosed that the same state-backed group accessed a subset of its internal company emails. The firm did not use SolarWinds software, so the attackers reached it through abused Microsoft cloud privileges instead.
9. Ubiquiti warns customers their data may have been accessed
Networking vendor Ubiquiti told customers that an intruder may have reached personal data held on its cloud systems. It urged people to change passwords and enable two-factor authentication as a precaution.
10. MeetMindful dating site data dumped online
Records on roughly 2.28 million users of the dating service MeetMindful were posted to a hacking forum. The leak included real names, email addresses, location data and Facebook authentication tokens.
11. Pixlr user records published by ShinyHunters
Around 1.9 million user records from the photo editing site Pixlr were leaked for free on a hacking forum. The data was reportedly taken from an unsecured cloud storage bucket linked to a sister site.
12. Bonobos clothing store database leaked after cloud breach
A 70GB database belonging to retailer Bonobos appeared on a hacking forum after a backup hosted by a third party was stolen. The data covered up to seven million customers and included hashed passwords and partial card numbers.
13. Nissan source code leaks through a misconfigured Git server
Nissan North America left an internal Git server exposed online with the default credentials admin and admin. Source code for mobile apps and internal tools spread across Telegram and hacking forums before the server was pulled offline.
14. Data on 220 million Brazilians found for sale
Researchers uncovered a database holding sensitive details on more than 220 million people, a figure larger than Brazil's population. The records included tax identifiers, addresses, salaries, credit scores and facial images, and even covered deceased individuals.
15. Hamburg regulator deems Clearview AI illegal in the EU
The Hamburg data protection authority found that Clearview AI's biometric face database breached European law. It ordered deletion of one complainant's biometric profile, although campaigners criticised the narrow scope of the decision.
→ noyb.eu
16. Florida Healthy Kids website breach exposes applicant data
A health insurance body for Florida children disclosed that the firm hosting its website had left the platform vulnerable since 2013. The exposed records covered hundreds of thousands of applicants and enrollees and may have included Social Security numbers, dates of birth and financial information.
17. High Court rules general warrants for government hacking unlawful
The High Court of England held that British spy agencies could not rely on broad general warrants to authorise hacking of unspecified groups of people and computers. Judges drew on centuries of common law against general warrants and ruled that interference with property requires clear and specific legal authorisation.
18. Amnesty launches Ban the Scan against facial recognition
Amnesty International launched a global campaign called Ban the Scan to prohibit the use of facial recognition for mass surveillance, starting in New York City. It argued that the technology amplifies racist policing and threatens the rights to privacy, peaceful assembly and free expression.
19. Court orders Vallejo to follow surveillance accountability law
A California judge ruled that the city of Vallejo had violated state law by acquiring cell site simulator technology without first adopting a public surveillance policy. After the ruling, Vallejo held public hearings and revised its policy to bar tracking of protected speech and the sharing of data with immigration authorities.
20. OpenWRT forum user data stolen in weekend breach
An attacker gained administrative access to the OpenWRT forum and downloaded a copy of the user list. Email addresses and forum handles were exposed, prompting administrators to reset every password and warn users to expect targeted phishing attempts.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: