A somewhat obvious rule of internet security to add to the first three:
- Against a sophisticated attacker, nothing connected to the internet is secure.
- Everything is internet now.
- You should probably worry more about being attacked online by your own government than by any other organization.
- Sensitive data about you is largely on the computers of other people who care little about your security.
Equifax is getting lots of attention right now, but consider also Deloitte, Adobe, Stratfor, Blizzard, LinkedIn, DropBox, Ashley Madison, last.fm, Snapchat, Adult Friend Finder, Patreon, Forbes, Yahoo, and countless others.
As Bruce Schneier points out, the only plausible path to reduce such breaches is for governments to make them far more painful and costly for corporations.
Connections like these seem inexplicable if you assume Facebook only knows what you’ve told it about yourself. They’re less mysterious if you know about the other file Facebook keeps on you—one that you can’t see or control.
Behind the Facebook profile you’ve built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you’ve never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections.
…
Having issued this warning, and having acknowledged that people in your address book may not necessarily want to be connected to you, Facebook will then do exactly what it warned you not to do. If you agree to share your contacts, every piece of contact data you possess will go to Facebook, and the network will then use it to try to search for connections between everyone you know, no matter how slightly—and you won’t see it happen.
…
That accumulation of contact data from hundreds of people means that Facebook probably knows every address you’ve ever lived at, every email address you’ve ever used, every landline and cell phone number you’ve ever been associated with, all of your nicknames, any social network profiles associated with you, all your former instant message accounts, and anything else someone might have added about you to their phone book.
—
Facebook Shadow Profiles: What You Need to Know
Sensitive information about the location and staffing of military bases and spy outposts around the world has been revealed by a fitness tracking company.
The details were released by Strava in a data visualisation map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others.
The map, released in November 2017, shows every single activity ever uploaded to Strava – more than 3 trillion individual GPS data points, according to the company. The app can be used on various devices including smartphones and fitness trackers like Fitbit to see popular running routes in major cities, or spot individuals in more remote areas who have unusual exercise patterns.
However, over the weekend military analysts noticed that the map is also detailed enough that it potentially gives away extremely sensitive information about a subset of Strava users: military personnel on active service.
Email Addresses and Passwords Leaked For 113,000 Users Of Account Hijacking Forum
Evernote Gave Dark Web Dealer’s Notes to the DEA
As part of a dark web investigation, Evernote handed over a suspect’s notes stored on the company’s servers.
LifeLabs users wise to worry about fraud, ID theft after mass data breach say experts
‘Identify theft will invariably arise,’ says former Ontario privacy commissioner
Ring Fired Employees for Watching Customer Videos
“We are aware of incidents discussed below where employees violated our policies,” a letter from Ring obtained by Motherboard reads.
Personal information belonging to 144,000 Canadians breached by federal departments and agencies | CBC News
CRA shuts down online services after thousands of accounts breached in cyberattacks | CBC News
https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163
Thousands of CRA accounts breached following pair of cyberattacks | CBC News
https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163
3 TB of Private Webcam/Home Security Video Leaked on Porn Sites – Slashdot
https://yro.slashdot.org/story/20/10/18/1850229/3-tb-of-private-webcamhome-security-video-leaked-on-porn-sites
How smart devices are exploited for domestic abuse – BBC News
https://www.bbc.com/news/technology-54554408
‘Shocking’ hack of psychotherapy records in Finland affects thousands
Distressed patients flood support services after hack of private firm Vastaamo
No way for average user to know which websites contain software flaw: Experts
https://www.thestar.com/business/2021/12/13/no-way-for-average-user-to-know-which-websites-contain-software-flaw-experts.html
The call and text message records of tens of millions of AT&T cellphone customers and many non-AT&T customers in mid-to-late 2022 were exposed in a massive data breach, the telecom company revealed Friday.
AT&T said the hacked data did not include the content of calls and text messages. At this point, the exposed data is not believed to be publicly available.
The company blamed an “illegal download” on a third-party cloud platform that it learned about in April – just as the company was grappling with an unrelated major data leak.
AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that use its network between May 1, 2022 and October 31, 2022. The stolen logs also contain a record of every number AT&T customers called or texted – including customers of other wireless networks – the number of times they interacted and the call duration.
The records of a “very small number” of customers on January 2, 2023 were also implicated, AT&T said. The content of the calls and texts were not exposed, according to the company.
AT&T listed approximately 110 million wireless subscribers as of the end of 2022. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
The breach also included AT&T landline customers who interacted with those cell numbers.
AT&T said customer names were not exposed in this incident, however the company acknowledged that publicly available tools can often link names with specific phone numbers.
https://www.cnn.com/2024/07/12/business/att-customers-massive-breach/index.html
Since Redbox went bankrupt, many have wondered what will happen to those red kiosks and DVDs. Another question worth examining is: What will happen to all the data stored inside the Redboxes?
Redbox parent company Chicken Soup for the Soul filed for Chapter 7 bankruptcy in June and is in the process of liquidating its assets. Meanwhile, stores with Redboxes are eager to remove the obsolete hardware. And tinkerers have reported getting their hands on Redbox kiosks and doing all sorts of things with them, including running Doom.
But Redboxes falling into technologists’ hands can seemingly also result in the uncovering of customer data from kiosks’ hard drives. As spotted by Lowpass today, programmer and expert reverse engineer Foone Turing reported via Mastodon that she was able to retrieve records for 2,471 transactions from the disk image of a Redbox hard drive. Turing told Ars Technica that she got the image from a Discord channel:
[The Redbox] logged lots of information, including debugging information from the transaction terminal, and they left old records on the device. This probably saved them some time on QAing software bugs, but it exposed all their users to data being leaked.
Data went back “to at least 2015,” Turing said on Mastodon. She told Lowpass the data included “records for when stuff is rented,” including customers’ email addresses and zip codes, as well as names of rented discs and when they were rented. Turing was also able to retrieve some numbers of customer credit cards.
https://arstechnica.com/gadgets/2024/10/redbox-hard-drive-hacked-to-reveal-customer-information-from-2471-rentals/