Tag Archive for Data breach

| July 8, 2024
Comments Off on Massive Data Leak Exposes 10 Billion Unencrypted Passwords

Massive Data Leak Exposes 10 Billion Unencrypted Passwords

Massive Data Leak Exposes 10 Billion Unencrypted PasswordsOn July 4, 2024, a record-setting data leak occurred. “Cybernews” reports that nearly 10 billion unique passwords were posted to the dark-web. The staggering 9,948,575,739 unique passwords are a mix of old and new data breaches. Listed in a hacker forum as rockyou2024.txt, these passwords were in plaintext. ‘Plaintext’ means that these passwords are not encrypted – they are actual passwords, released in a text file.

updated the older file with 1.5 billion passwordsAccording to the hacker, the new release is based on RockYou2021’s 8.4 billion records from 2021. Specifically, the hacker updated the older file with 1.5 billion passwords obtained between 2021 and 2024. “Cybernews” explains that the RockYou2021 compilation was an expansion of a data leak from a 2009 leak which included tens of millions of user passwords for social media accounts.

The hacker posted  “I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years.” Estimates suggest that the RockYou2024 file contains entries from 4,000 large databases of stolen credentials, spanning at least 20 years.

Data leak can target any system

data leak can target any systemImportantly, this data leak can target any system. The author believes that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.

“Cybernews” describes the RockYou2024 data leak file as “a mix of old and new data breaches,” indicating it may not be a new breach of 10 billion passwords. Nonetheless, compiling all these passwords into one massive, searchable database, they warn, “substantially heightens the risk of credential stuffing attacks.

Data breach enables attacks

How Attackers Access Your Accounts Using Credential StuffingCredential stuffing occurs when hackers use automated scripts to try various combinations of stolen usernames and passwords from different data breaches to hijack people’s accounts. For instance, someone might use a password obtained from the AT&T breach to see if you use the same password for your bank account.

To check if your passwords are compromised, visit these websites:

RB-

The RockYou2024 data leak list is new, so at the time of this writing, it’s unclear if any private data has been compromised as a direct result of this compilation. Anyone using online services should assume their passwords could be on this list.

In the meantime, don’t freakout about RockYou2024. Experts recommend:

  1. Continue your activities while adhering to password best practices, such as regularly changing passwords.
  2. Set up a password manager.
  3. Enable MFA wherever possible.

Related article

Ralph Bach has been in IT for a while and has blogged from the Bach Seat about IT, careers, and anything else that has caught my attention since 2005. You can follow me on Facebook. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| October 23, 2023
Comments Off on Are You at Fault for the 23andMe Data Breach

Are You at Fault for the 23andMe Data Breach

Are You at Fault for the 23andMe Data Breach– Updated 10/28/2023- The data breach at 23andMe must be really bad. The data breach has drawn the attention (PDF) of a business loving GOP Senator.

A data breach has affected customers of the genomics firm 23andMe (ME). 23andMe is a U.S. biotechnology firm that offers genetic testing services to customers. Customers send a saliva sample to its labs and get back an ancestry and genetic predispositions report. The exposed information from this data breach includes full names, usernames, profile photos, sex, date of birth, genetic ancestry results, and geographical location.

23andMe data breachReports indicate that a hacker first posted the data breach on August 11, 2023. The hacker posted on the Hydra cybercrime forum. The hacker claimed to possess 300 terabytes of stolen 23andMe user data. The data re-emerged on October 2, 2023, when a hacker using the username “Golem” posted the records on the cybercrime forum BreachForums. The hacker openly made an anti-Semitic threat, boasting that it was a targeted attack on Ashkenazi Jews. The hacker claimed the data breach records contained “information on all wealthy families serving Zionism … You can see the wealthiest people living in the US and Western Europe on this list.”

The data breach expands

23andMe data breachOn October 16, Golem claimed the data contained “samples from hundreds of families, including the royal family, Rothschilds, Rockefellers, and more.” The reference to the Rothschilds, a subject of antisemitic conspiracy theories, echoes Golem’s previous publication of 23andMe records allegedly focused on people of Ashkenazi Jewish descent.

23andMe spokesperson Andy Kill told TechCrunch in an emailed statement that the company was made aware of this new leak and that it is “reviewing the data to determine if it is legitimate.

23andMe blames customers for data breach

On October 6, 23andMe announced that hackers behind the data breach had obtained some user data. They claimed that to amass the stolen data the hackers used credential stuffing. Credential stuffing is a common technique where hackers try combinations of usernames or emails and corresponding passwords that are already public from other data breaches.

In response to the data breach, 23andMe urged their users to change their passwords and enable multi-factor authentication. On its official page addressing the data breach, 23andMe blamed the incident on its customers for reusing passwords and DNA Relatives. DNA Relatives is an opt-in feature the firm offers. It allows users to see the data of other opted-in users whose genetic data matches theirs. If a user had this feature turned on, it could allow hackers to scrape data on more than one user by breaking into a single user’s account.

Splitting hairs

23andMe stated it didn’t find any evidence of a “data security incident” because the information hackers gathered was available to opted-in users. But putting the burden on consumers to protect their own sensitive data with strong passwords and careful management is wrongheaded, said Suzanne Bernstein, with the Electronic Privacy Information Center told WAPOIf 23andMe is collecting, storing and processing a tremendous amount of very highly sensitive personal data, I think at the end of the day they should take responsibility for that.” 

Data breach victims not protected

The type of information genetic testing companies like 23andMe collect is currently not protected by the Health Insurance Portability and Accountability Act (HIPAA). 23andMe still allows for third-party data sharing in its privacy policy.

How to Protect Your Data from Breaches

Now that your genetic data is probably in the wild for anyone to abuse, you should do the following:

  1. Choose unique, impossible-to-guess passwords.
    23andMe users should immediately change their passwords. The new password should be complex and never have been used on other sites. A better response would be to use a password manager.
  2. Next turn on two-factor authentication.
  3. Request to delete your data.
    A 23andMe customer can request to delete their information from the site. If you live in a state with a comprehensive privacy law company is required to do so.
  4. A 23andMe customer can request their information be deleted from the site. But during the account deletion process, 23andMe tells users that the company and its partner lab will hang onto your “genetic information, date of birth and sex,” after your account is deleted, per state and federal legal requirements, according to the Washington Post.

    This means that even after 23andMe deletes your account, it still retains potentially sensitive genetic information. Researchers have shown that so-called anonymous genetic data can in some cases be re-identified.

  5. Don’t share genetic information
    Sharing your genetics with a DNA database increases your risk of botched criminal procedure, discrimination from insurance companies and employers, and targeted attacks such as blackmail, privacy experts say.

rb-

Now that your entire family’s DNA is out there there is no getting it back.

 

How you can help Ukraine!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , ,
| October 2, 2023
Comments Off on U of M Data Breach: Is Your Information Safe

U of M Data Breach: Is Your Information Safe

U of M Data Breach: Is Your Information Safe– Updated 10/27/2923 – This data breach compromised 230,000 individuals according to the Detroit News.

If you attended the University of Michigan, your personal information is at risk. The media was full of stories about the U-M networks being shut-down at the beginning of the semester. Now we know at least one reason why. The U-M had to shut down its networks because the U.S. educational nonprofit National Student Clearinghouse (NSC) disclosed a data breach affecting UMich. The breach also impacted 890 other institutions using NSC services across the United States. Here is the complete list.

National Student ClearinghouseNSC said that attackers gained access to its MOVEit managed file transfer (MFT) server on May 30 and stole files containing a wide range of personal information. NSC reported the breach to the Office of the California Attorney General,

On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution

What personally identifiable information 

According to Bleeping Computer the personally identifiable information (PII) stolen includes names, dates of birth, contact information, Also compromised were Social Security numbers, student ID numbers. Finally they report and some school-related records (e.g., enrollment records, degree records, and course-level data) were also stolen.

What is the National Student Clearinghouse 

The National Student Clearinghouse provides educational reporting, data exchange, verification, and research services. They provide services to roughly 22,000 high schools and around 3,600 colleges and universities. The organization says its participants enroll roughly 97% of students in public and private institutions.

Who is behind the MoveIT data breach

The Clop ransomware gang is responsible for the extensive data-theft attacks that started on May 27. The attackers leveraged a zero-day security flaw in the MOVEit Transfer secure file transfer platform.

Starting June 15, the cyber criminals began extorting organizations that fell victim to the attacks, exposing their names on the group’s dark web data leak site. The cybercrime gang is expected to collect an estimated $75-100 million in payments due to the high ransom requests.

Reports have also revealed that multiple U.S. federal agencies and two U.S. Department of Energy (DOE) entities have fallen prey to MOVEit-related these data theft and extortion attacks.

 

How you can help Ukraine!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| July 7, 2023
Comments Off on KOSA: A Bad Idea for Online Safety

KOSA: A Bad Idea for Online Safety

KOSA: A Bad Idea for Online SafetyThe Kids Online Safety Act, known as KOSA, is another half-assed publicity grab. The politicians fail to address the root cause of the problem – data collection. We can all agree that social media is bad for kids. There is enough proof from multiple studies and former social media company employees. Therefore, KOSA is not the answer. It will infringe on the rights and interests of all internet users.

Kids Online Safety Act

Two-tier Internet in the U.S.To begin with, the Kids Online Safety Act, known as KOSA introduced by Senators Richard Blumenthal (D) and Marsha Blackburn (R), would establish a two-tier Internet in the U.S. The bill requires that sites that are ‘likely to be accessed by kids‘ act in the “best interest of users who are 16 or younger.” That means that all platforms would be responsible for mitigating the risk of physical or emotional harm to young users. This includes “the promotion of self-harm or suicide, encouragement of addictive behavior, enabling of online bullying or predatory marketing.” Sound nice; however, KOSA is not the solution we need. Here are some of the reasons to oppose KOSA:

Kids Online Safety Act safety

The KOSA requirements would mandate that platforms have parental controls. These government-mandated controls could be harmful to kids in abusive situations. According to Fight for the Future, a coalition of over 50 civil society groups, “KOSA risks subjecting teens who are experiencing domestic violence and parental abuse to additional forms of digital surveillance and control that could prevent these vulnerable youth from reaching out for help or support.

Additionally, the KOSA requirements would endanger VPNs (one of the government’s favorite boogey-techs). The group wrote; “… by creating strong incentives to filter and enable parental control over the content minors can access, KOSA could also jeopardize young people’s access to end-to-end encrypted technologies, which they depend on to access resources related to mental health and to keep their data safe from bad actors.”

KOSA is government censorship

seeking to make political pointsKOSA would give the President control over what people see online. The government would create a “Kids Online Safety Council” that would advise the government on implementing and enforcing KOSA. As a result, the legislation’s requirement to restrict access to topics such as sex education, LGBTQ issues, and mental health from minors could cause platforms KOSA could force platforms to self-censor just to avoid the hassle and costs.

Furthermore, Fight for the Future writes that censorship would be politically driven. “Online services would face substantial pressure to over-moderate, including from state Attorneys General seeking to make political points… KOSA would cut off another vital avenue of access to information for vulnerable youth.”

KOSA encourages more data collection

incentivize sites to collect even more informationAccording to Fight for the Future, the bill would incentivize sites to collect even more information about children to verify their ages and place further restrictions on minors’ accounts. They explain,

“Age verification may require users to provide platforms with personally identifiable information such as date of birth and government-issued identification documents, which can threaten users’ privacy, including through the risk of data breaches, and chill their willingness to access sensitive information online because they cannot do so anonymously.”

Therefore, they conclude, “Rather than age-gating privacy settings and safety tools to apply only to minors, Congress should focus on ensuring that all users, regardless of age, benefit from strong privacy protections by passing comprehensive privacy legislation.”

Kids Online Safety Act unintended consequences

unintended consequencesKOSA would also create unintended consequences. The unintended consequences include driving children to use less secure or more harmful platforms. The Kids Online Safety Act would make kids more vulnerable to online predators who could exploit their age verification information. It would also undermine the trust and communication between children and parents, as well as between platforms and users.

rb-

There are valid concerns about the impact of social media on us all. But the Kids Online Safety Act misses the point. Congress should be targeting data collection. Nearly all social media platforms and online businesses collect personal data from their users. The EFF points out that all social media firms harvest and monetize our personal data and incentivize other online businesses to do the same. The result is that detailed information about us is widely available to purchasers, thieves, and government subpoenas.

Consider location data brokers, for example. Our apps collect detailed records of our online activities without our knowledge or genuine consent. The app developers sell it to data brokers, who will in turn sell it to anyone who will pay for it. An election denier bought it to try to prove voting fraud. One broker sold data on who had visited reproductive health facilities.

If a bad actor or the government wanted to buy this data, it could probably find a way to do so. Collecting more data will not stop the bad actors from acquiring PII.

The better approach is to limit how all businesses collect personal data. This would de-incentive data collection and reduce the supply of data for bad actors.

Everybody should be allowed to make informed choices based on their own values and preferences.

 

How you can help Ukraine!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| January 27, 2023
Comments Off on What You Need to Know About MailChimp Security

What You Need to Know About MailChimp Security

What You Need to Know About MailChimp SecurityJust in time for Data Privacy Day. Mailchimp, one of the largest email service-providers worldwide with 13 million active customers. suffered a security breach. On January 11, 2023 the Mailchimp security team reported that an unauthorized actor download the data of 133 customers of the Mailchimp service.

Mailchimp data leak

Data privacy day The Mailchimp security team identified an unauthorized actor had accessed tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to Mailchimp accounts using employee credentials compromised in that attack.

Impacted organizations include WooCommerce, online gambling site FanDuel, Crypto darlings Yuga Labs and the Solana Foundation.

CSC405: Introduction to Computer SecurityMailchimp says they temporarily suspended account access for Mailchimp accounts where they detected suspicious activity to protect our users’ data. They have notified the primary contacts for all affected accounts on January 12. Mailchimp has been working with their customers to help them reinstate their accounts.

Recent data breaches

MailChimp has announced several data breaches in recent months. In August 2022, a cyberattack targeted its cryptocurrency-related customers. Mailchimp also revealed a security incident in March 2022.

data leakSpeculation is swirling online about the security of parent company Intuit other product lines (which includes TurboTax, Credit Karma and Quickbooks). TurboTax suffered its own security breach in 2021. Questions are also being raised about a possible central backdoor into Intuit, which the company denies.

If you have questions regarding a notice you received or the incident in general, please reach out you can email ciso@mailchimp.com. The company has not announced the appointment of a new CISO since Siobhan Smyth left the position in August 2022 shortly after the August 2022 was announced.

rb-

multi-factor authenticationInformation exposed in data breaches like this is commonly used by attackers to target users with phishing attacks or attempt to reset passwords to gain account authorization. This is why multi-factor authentication (MFA) can help. Even if the bogus password resets were successful the MFA can prevent the attacker from going further.

How you can help Ukraine!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries