Category Archives: data leak

BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked

Infamous Website BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked 26 Million Credit Debit Cards Leaked! 26 Million Credit Debit Cards Leaked: BriansClub an infamous underground website that sells stolen credit and debit cards has been hacked and over 26 million credit and debit card dumps have been leaked. Over a period of ... Read moreBriansClub Hacked Over 26 Million Credit and Debit Cards Leaked

The post BriansClub Hacked Over 26 Million Credit and Debit Cards Leaked appeared first on HackingVision.

Leafly Cannabis information platform suffered a data leak

Leafly, a cannabis information platform, suffered a data leak that exposed the personal information of some of its customers.

Leafly, the world’s leading cannabis resource, informed its customers via email that has suffered a data leak. On September 30, the company discovered that customer

The company discovered on September 30 that a secondary database was exposing customer information from July 2, 2016.

Exposed records include user’s email addresses, usernames and encrypted passwords, fortunately, no financial data was collected by the company.

For some users, the database also leaked names, ages, gender, location, and mobile numbers.

“On September 30, we teamed that a set of Leafly user records dated July 2, 2016 held in a secondary Leafly database was disclosed without permission. Your email address was in that file,” reads the notification email sent to the impacted customers. Leafly does not collect credit card information or national identification numbers,”

Leafly Cannabis Website

The company hired a forensic security firm to help its staff in the investigation. The company recommends users to reset the password and use a unique password for each service online.

“However, it is a good idea to ensure that you use a unique password on Leafly and other services you use. If you share passwords across services and haven’t updated them recently, and you haven’t reset your Leafly password, we recommend you do SO DOW,” continues the notification mail.

“Please accept our sincere apology for any concern this has caused. If you have any questions, please reach out to our customer support team at support@leafly.com,” states Leafly.

At the time it is not clear the number of impacted users. 

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Leafly Cannabis information platform suffered a data leak appeared first on Security Affairs.

This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft

A routine data project revealed that the personally identifying information of the entire nation of Ecuador might be online for all to see–just like, potentially, your data.

The information included records belonging to deceased citizens and more than 7 million minors. It was discovered by researchers from the security firm vpnMentor while conducting “a wide-scale Web mapping project.”

According to vpnMentor’s report, the ongoing project made the discovery possible by scanning ports “to find known IP blocks.” It then searches for “vulnerabilities in the system that would indicate an open database.” When a compromise is discovered, the company then traces the data back to its source and delivers the bad news.

While the full extent of the damage done here is not clear, it’s sure sounds like a potentially Titanic-meets-iceberg level event.

What We (and the Bad Guys May) Know

The extremely granular personal information of more than 20 million people was exposed. Ecuador’s population is 16.5 million, which means nearly 4 million of the individuals affected may be deceased.

The data included personal and corporate tax ID numbers and bank account information–including current balance in the account, amounts financed, credit types, and the location of a bank branch used by an individual. The same information about family members was also available, as well as how people in the data set were related to each other.

All the essential information needed for account authentication and/or takeover were there, too. A short list of the available data included full name (first, middle, last); gender; date and place of birth; home and work addresses; email addresses; home, work, and cell phone numbers; marital status; date of marriage (where applicable); date of death (where applicable); and the highest level of education achieved.

WikiLeaks founder Julian Assange was even in there, Ecuador’s most famous asylum seeker.

Describing itself as an organization of ethical hackers, vpnMentor said in its statement about the discovery that it never sells, stores, or exposes compromised information, but rather uses the existence of a compromise or leak as a teachable moment.

Teachable Moments Are Expensive

Sponsored by IBM Security and independently conducted by the Ponemon Institute, the 13th-annual Cost of Data Breach Study found that the average per-record cost of a breach was $148 last year. That would put the cost of this compromise at nearly $3 billion.

So, what can we learn from this data debacle? The compromise was caused by–wait for it–a third-party vendor. According to CNN, the breach was found on an unsecured server in Miami, which appeared to be owned by an Ecuadorian consulting and analytics company called Novaestrat. While it remains unclear as to how Novaestrat gained access to the government database, it is presumed that someone currently, or formerly, in the Ecuadorian government handed over the data–no matter the reason–and in the process potentially exposed it to criminals around the world.

The first takeaway should be that you are only as secure as your least secure vendor and/or collaborator. In the realm of cyber-liability, that and three bucks will get you a cup of coffee to sip while you wait for the submarine to the unemployment line at the bottom of Loon Lake.

This sort of mistake keeps happening because people continue to doubt the persistent and pervasive threats we face in the business community and beyond.

It matters because the information exposed in this incident was sufficient for a competent identity thief to commit every imaginable identity-related crime. There’s gold and endless liability in them thar hills of data.

What You Can Do

Practice the 3Ms.

Minimize your exposure: Vet your vendors! Foster a culture where everyone from the mailroom to the boardroom is invested in privacy and data security. Train your employees from their first day and have an ongoing discussion about best security practices. Create a map of information access, and make sure your most sensitive data is only available to those who need to have access and practice proper cybersecurity protocols to keep the data safe. Have a sensible BYOD (Bring Your Own Device) policy, and remind employees about the importance of installing updates on connected devices. Hire a chief information security officer–never leave your security solely to the IT department.

Monitor your networks and your assets: Make sure regular assessments are conducted on the security of all your data assets–and don’t wait for a call from a “white hat” hacker.

Manage the damage: How an organization responds to a breach or compromise is a defining moment. It is crucial that you act urgently, transparently, and empathetically. In order to avoid an extinction-level event, have a robust incident response plan. Have a media plan, and consider putting a crisis management firm on retainer. Game various scenarios and have a team in place to help your clients, as well as both in-house and third-party experts who understand the timing and notification requirements in each state for various regulators, law enforcement officials, insurance companies, employees, and customers. Can your company really afford to roll the dice on cybersecurity?

The post This Common Mistake You May Be Making Right Now Exposed an Entire Nation to Identity Theft appeared first on Adam Levin.

Security and compliance gaps of ineffective employee onboarding and offboarding

There are significant gaps in the compliant management of employee resources throughout the employment lifecycle. Just 15% of employees have all the resources they require to be productive on day one, further, more than half (52%) of IT professionals know someone who still has access to a former employer’s applications and data, according to Ivanti. When it comes to employee onboarding, 38% of IT professionals report it takes between two and four days to get … More

The post Security and compliance gaps of ineffective employee onboarding and offboarding appeared first on Help Net Security.

Experts found 20 Million tax records for Russian citizens exposed online

Experts discovered an unprotected Elasticsearch cluster containing personally identifiable and tax information of Russian citizens exposed online.

Security experts from Comparitech along with security researcher Bob Diachenko discovered 20 million tax records belonging to Russian citizens exposed online in clear text and without protection.

The experts found an unprotected Elasticsearch cluster that was containing personally identifiable information on Russian citizens spanning from 2009 to 2016.

“A database of more than 20 million Russian tax records was found on an unsecured server, accessible to anyone with a web browser.” reads the post published by Comparitech.

Comparitech partnered with security researcher Bob Diachenko to investigate the data exposure, which included sensitive personal and tax information. The database was taken offline after Diachenko notified the owner, who is based in Ukraine.”

Russian citizens

The Elasticsearch database was first indexed by search engines in May 2018, Diachenko discovered it on September 17, 2019, and on September 20, 2019 it was secured.

It is not possible to determine whether anyone else accessed the exposed data before it was discovered by Diachenko. The experts also revealed that the owner based in Ukraine, but did not reveal its identity.

The cluster included multiple databases, two of them contained tax and personally identifiable information about Russian citizens, prevalently from Moscow and the surrounding area.

“The first database contained more than 14 million personal and tax records from 2010 to 2016, and the second included over 6 million from 2009 to 2015.” continues the experts.

Exposed records included the following information:

  • Full name
  • Address
  • Residency status
  • Passport number
  • Phone number
  • Tax ID number
  • Employer name and phone number
  • Tax amount

The exposed data could be used by threat actors to carry out tax scam and frauds.

“Affected individuals could be at risk of identity theft and should monitor their accounts closely. Tax fraud could also be a risk, though our team is not well-versed enough on the topic of the Russian tax system to give concrete advice.” concludes the experts.

“Potential victims should also be on the lookout for targeted phishing and other scams. Fraudsters could pose as tax officials, for example, to steal money or request additional information to aid in identity theft.”

Pierluigi Paganini

(SecurityAffairs – Russian citizens, data leak)

The post Experts found 20 Million tax records for Russian citizens exposed online appeared first on Security Affairs.

Heyyo dating app left its users’ data exposed online

Another day, another embarrassing data leak made the headlines, the online dating app Heyyo left a server exposed on the internet.

The online dating app Heyyo left a server exposed on the internet without protection, data were stored on an Elasticsearch instance.

The exposed data included personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users.

The detailed data exposed left online included:

  • Names
  • Phone numbers
  • Email addresses
  • Dates of birth
  • Gender
  • Height
  • Profile pictures and other images
  • Facebook IDs for users who linked their profiles
  • Instagram IDs for users who linked their profiles
  • Longitude and latitude
  • Who liked a user’s profile
  • Liked profiles
  • Disliked profiles
  • Superliked profiles
  • Blocked profiles
  • Dating preferences
  • Registration and last active date
  • Smartphone details

The news was first reported by ZDNet who was informed about the incident by security researchers from WizCase.

“Avishai Efrat, Wizcase leading hacktivist, discovered a severe data leak on Heyyo, a relatively new mobile dating app. Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine.reported WizCase. “The majority of affected users are based in Turkey, but there’s also a significant number from the US and Brazil, which is over ⅕ of their user base. “

ZDNet verified the authenticity of the data and contacted the Turkey-based company behind Heyyo to notify it of the leak, but the company did not reply for a week.

While waiting for a reply from the development team, the experts noticed that the number of registered users grew from 71,769 to 71,921. Experts also registered an account ad verified that associated data were leaked online. This circumstance suggests that the server was a live production system.

The server was taken down today after ZDNet contacted Turkey’s Computer Emergency Response Team (CERT).

Clearly, the exposure of this type of data poses serious risks, including the extortion, to the users’ privacy.

At the time of writing is unclear if anyone else had access to the exposed database.

Unfortunately, other dating platforms suffered similar incident in the past, including Ashley MadisonGrindr, 3Fun, and Luscious.

WizCase also has its own report on the leak, for additional reading.

Pierluigi Paganini

(SecurityAffairs – Heyyo, hacking)

The post Heyyo dating app left its users’ data exposed online appeared first on Security Affairs.

Experts warn of the exposure of thousands of Google Calendars online

The news is shocking, thousands of Google Calendars are leaking private information posing a severe threat to the privacy of the users.

Thousands of Google Calendars are leaking private information online threatening the privacy of the users.

Google Calendar has more than q billion users that can potentially expose their private affairs due to the implementation of an issue in the “invite” feature. It is essential to point out that this isn’t a security vulnerability in Google Calendar, but an issue that could potentially impact anyone that has ever shared his Google Calendars.

you should immediately go back to your Google settings and check if you’re exposing all your events and business activities on the Internet accessible to anyone.

The security researcher Avinash Jain discovered more than 8000 Google Calendars exposed online that were indexed by Google search engine. This means that anyone could potentially access sensitive deta and add new events that could be used to share bogus information or malicious links.

Avinash Jain contacted several media outlets, including Forbes and THN, the Indian expert works for the e-commerce firm Grofers.

“What I found is that — Using a single Google dork (advance search query), I am able to list down all the public google calendar or users who all have set their calendar as public. I found dozens of calendars which are indexed by google’s search engines, revealing or disclosing several sensitive information.” wrote the expert. “I was able to access public calendars of various organizations leaking out sensitive details like their email ids, their event name, event details, location, meeting links, zoom meeting links, google hangout links, internal presentation links and much more,”

Google Calendars

Some of the calendars belonged to employees of the top 500 Alexa company that intentionally/unintentionally were made public.

The issue is related to the public visibility set on the google calendar by the users. Google fails to send any notification to the users warning them about the visibility of their calendar.

“While this is more of an intended setting by the users and intended behavior of the service but the main issue here is that anyone can view anyone public calendar, add anything on it—just by a single search query without being shared the calendar link,” Avinash added.

The issue is not new, many experts in the last years warned of the misuse of the “make it public” feature to its web-based calendar service that was implemented 12 years ago.

The expert demonstrated that it is possible to view the exposed Google Calendars by using advanced Google search query (Google Dork).

“The fix for this: https://support.google.com/a/answer/60765?hl=en. You can set the calendars to only say Free/Busy if anyone wants to make their calendar public. GSuite admin can also create alerts for when Google docs, presentations, and calendars go public.” concludes the researcher.

Pierluigi Paganini

(SecurityAffairs – Google Calendars, privacy)

The post Experts warn of the exposure of thousands of Google Calendars online appeared first on Security Affairs.

Backup files for Lion Air and parent airlines exposed and exchanged on forums

Tens of millions of records belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums.

Data belonging to passengers of two airline companies owned by Lion Air have been exposed and exchanged on forums.

The information was left exposed online on an unsecured Amazon bucket, the records were stored in two databases in a directory containing backup files mostly for Malindo Air and Thai Lion Air. The most recent backup, dated May 25, is named ‘PaymentGateway.’

The directory was created in May 2019, the databases included respectively 21 million records and 14 million records. It seems that data was circulating on exchange forums since August 10.

The directory also included a backup file for the Batik Air that is owned by Lion Air. Leaked records include passenger and reservation IDs, physical addresses, phone numbers, email addresses, names, dates of birth, phone numbers, passport numbers, and passport expiration dates.

The news of the data leak was first disclosed by BleepingComputer that reported researcher Under the Breach published samples of the leaked records.

“BleepingComputer could not find an announcement from Lion Air or its subsidiary airlines about a data exposure incident.” reads the post published by BleepingComputer.

Experts noticed that data was offered on a data exchange community on August 12, then it was later secured.

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Backup files for Lion Air and parent airlines exposed and exchanged on forums appeared first on Security Affairs.

Data leak exposes sensitive data of all Ecuador ‘citizens

Experts discovered a huge data leak affecting Ecuador, maybe the largest full-country leak, that exposed data belonging to 20 million Ecuadorian Citizens.

Security experts at vpnMentor have discovered a huge data leak affecting Ecuador that exposed data belonging to 20 million Ecuadorian Citizens.

Data were left unsecured online on a misconfigured Elasticsearch server, exposed data includes full PII, marital status and date of marriage, level of education, financial info, and more. 

Maybe this is the largest full-country leak, it affects the whole country and the exposure of such data pose a severe threat to Ecuadorian citizens.

vpnMentor’s research team has found a large data breach that may impact millions of individuals in Ecuador. The leaked database includes over 20 million individuals.” reads the post published by vpnMentor.

“Led by Noam Rotem and Ran Locar, our team discovered the data breach on an unsecured server located in Miami, Florida. The server appears to be owned by Ecuadorian company Novaestrat.

Leaked data include citizens’ financial records and car registration information.

The personal records of most of Ecuador’s population, including children, has been left exposed online due to a misconfigured database, ZDNet has learned.

The server contained a total of 20.8 million user records (18 GB of data), more than the country’s total population (16.6 million), likely due to the presence of duplicate records and data of deceased citizens.

Ecuador data leak

The analysis of the indexes revealed that the database is composed of data gathered from government sources (most from Ecuadorian government) and data gathered from private databases.

“Individuals in the database are identified by a ten-digit ID code. In some places in the database, that same ten-digit code is referred to as “cedula” and “cedula_ruc”.” continues the post.

“In Ecuador, the term “cédula” or “cédula de identidad” refers to a person’s ten-digit national identification number, similar to a social security number in the US.

The term “RUC” refers to Ecuador’s unique taxpayer registry. The value here may refer to a person’s taxpayer identification number.”

The experts found within the leaked records an entry for WikiLeaks founder Julian Assange that also includes the “cedula.”

Experts also found million of entries for children under the age of 18 that contained names, cedulas, places of birth, gender, home addresses.

The data base was secured on September 11, 2019, after vpnMentor notifies its discovery to the Ecuador CERT (Computer Emergency Response Team) team.

Pierluigi Paganini

(SecurityAffairs – Ecuador, data leak)

The post Data leak exposes sensitive data of all Ecuador ‘citizens appeared first on Security Affairs.

A flaw in LastPass password manager leaks credentials from previous site

A flaw in LastPass password manager leaks credentials from previous site

An expert discovered a flaw in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

Tavis Ormandy, the popular white-hat hacker at Google Project Zero, has discovered a vulnerability in the LastPass password manager that exposes login credentials entered on a site previously visited by a user.

lastpass

On September 12, 2019, LastPass has released an update to address the vulnerability with the release of the version 4.33.0.

“Hello, I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource.” reads a security advisory published by Ormandy.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

Ormandy published a step by step procedure to exploit the flaw and display the credentials provided to the previously visited website.

y = document.createElement("iframe");
y.height = 1024;
y.width = "100%";
y.src="chrome-extension://hdokiejnpimakedhajhdlcegeplioahd/popupfilltab.html";
// or y.src="moz-extension://...";
// or y.src="ms-browser-extension://...";
document.body.appendChild(y);  

The expert explained that the bug is easy to exploit and required no other user interaction, the attacker could trick victims into visiting malicious pages to extract the credentials entered on previously-visited sites.

“Ah-ha, I just figured out how to do this google automatically, because compare_tlds(lp_gettld_url(a), lp_gettld_url(t)) succeeds for translate.google.com and accounts.google.com, but you can iframe untrusted sites with translate.google.com, so the top url is irrelevant.” continues the expert.

“I think it’s fair to call this “High” severity, even if it won’t work for *all* URLs.”

At the time of writing, there is no news about the exploitation of this bug in attacks in the wild.

LastPass implements an auto-update process for both mobile apps and browser extensions, users that have disabled it for some reason have to perform a manual update.

Pierluigi Paganini

(SecurityAffairs – LastPass, hacking)

The post A flaw in LastPass password manager leaks credentials from previous site appeared first on Security Affairs.

Delaler Leads, a car dealer marketing firm exposed 198 Million records online

Researcher discovered an unsecured database exposed online, belonging to car dealership marketing firm Dealer Leads, containing 198 million records.

The researcher Jeremiah Fowler discovered an unsecured database exposed online that belong to car dealership marketing firm Dealer Leads.

The archive containing 198 million records for a total of 413GB of data containing information of potential car buyers, vehicles, loan and finance inquiries, log data with IP addresses of visitors, and more.

“On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner.” reports Security Discovery. “I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”

Dealer Leads provides content relevant and related to the auto industry for franchise and independent car dealerships, the website of the company describes itself with the following statement.

“dominates the automotive digital marketing industry with highly used automobile search strings turned into online inventory advertising classified sites, service sites, finance sites etc. Car shoppers have needs, and DealerLeads matches those needs in live searches.”

The Elastic database was accessible to anyone with any browser, its records included name, email, phone, address, IP, and other sensitive or identifiable information, in plain text.

The archive also included IP addresses, ports, pathways, and storage info.

The good news is that after the expert reported his discovery to the company, it has secured the database restricting public access to the archive.

At the time of writing it is not clear how long the data remained exposed online and if someone had access to its records.

“Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed.” Security Discovery concludes.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,”

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

The post Delaler Leads, a car dealer marketing firm exposed 198 Million records online appeared first on Security Affairs.

SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People

The web surfing history of millions of people was intercepted yesterday in a huge data leak. Large Swedish companies, such as Volvo, SAS, Ericsson, Husqvarna, and SKF have been affected, as originally reported by the Swedish newspaper Dagens Nyheter. About 40,000 people involved in the cyber incident allegedly are Swedes.

Spyware in Browser Extensions Enabled the Attack

The data spill was caused due to a spy code installed in Chrome and Firefox add-ons, which allowed the browsing history of millions of users to be harvested and sold.

A part of the leaked data comes from some of the largest organizations in Sweden. The database contained information such as discussions between employees, downloaded files, and internal confidential information. More precisely, it was possible to see exactly what people did online and although the information was considered to be anonymous, their identity could be confirmed.

The Failure of a SpaceX Rocket Engine Was Also Leaked

According to security engineer Sam Jadali, other major international companies have been involved as well. For instance, information from the space company SpaceX regarding the failure of a rocket engine was revealed. The vehicle was used to transport astronauts to and from the International Space Station (ISS).

The Company Behind the Data Leak

The information was collected and sold by Nacho Analytics, which is ending its activity now that the leak has been brought to light.

This is the pop-up message that is currently being displayed on their website:

“Nacho Analytics is closing all remaining accounts, and sending refunds to our existing customers for their recent payments. It will take a few days to work through this process. We appreciate your patience. If you are an active customer, please check your email for more detailed information.

Our limited site is active to offer customer support during this transition.”

nacho analytics data leak september 2019

Browsing habits are a method of studying customer patterns and monitoring competitors. This leak is similar to the one we’ve seen in the Cambridge Analytica scandal, which could abuse Facebook data to be used in political campaigns, writes SVT.

Why Did the Data Leak Happen?

The reason is that many companies use browser-based tools. And if an employee accesses a browser extension compromised by spyware, the activity within the tool can also be intercepted by cybercriminals.

Our CEO, Morten Kjaersgaard, has spoken with IT-Kanalen about how serious the problem is.

In his view, the issue seems to be greater than we realize. Specifically, any extension could be used by cybercriminals to access sensitive data. The reason is that these add-ons are not part of a company’s internal system, but developed by third parties. When users install a plugin in a browser, a port opens to the underlying engine – in this case, Chrome or Firefox – where it gets access to data other than it should have access to.

On a more positive note, the issue was discovered early, and this way we can get the chance to better understand it and find solutions. We should somehow be glad that the attack did not hit IE, which is more commonly used because this way the damage would probably have been significantly higher, says Morten Kjaersgaard.

How can we reduce the risks?

The simple answer would be to disable all plugins. But since this is rarely a viable solution, here are the recommendations for companies and consumers.

Advice for Companies

Companies should follow several steps. First of all, their IT department should design some form of policy-based system for deciding which add-ons should be installed and also know how they should be handled and monitored. There are existing solutions that are partially already integrated into Chrome.

Secondly, traffic should be monitored in real-time. This way, companies can detect early on whether systems connect and send data to suspicious locations. If this practice is combined with DNS protection and IP filtering, then you will have a great security foundation for your company.

Advice for Consumers

The most obvious recommendation would be not to install any extensions. But if you need to do it, always make sure you only have installed a few add-ons that you really depend on. What’s more, browser extensions should come from trusted, reputable sources and not from any unknown sites or companies.

By using DNS and IP filtering in combination with traffic monitoring and firewalls, both consumers and companies will play their part in the fight against cybercriminals. And this is something that we must all start with as soon as possible, Morten Kjaersgaard concludes.

Swedish speakers can read the full interview with Morten Kjaersgaard, Heimdal Security’s CEO, here.

Does your company need a cybersecurity solution to prevent Spyware and the most advanced types of malware?

Get in touch today to learn how we can help you.

 

The post SECURITY ALERT: Massive Data Leak Revealed the Sensitive Information of Millions of People appeared first on Heimdal Security Blog.

Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed

As much as I love this one friend of mine, nothing is private when we’re together. You probably have a friend like this. The relationship is really great so you stay friends despite all, but this particular friend simply cannot know something about you without sharing it with others no matter how hard you try to get them to understand it’s totally uncool. 

Facebook Is an Open Book

They did it again this week with news that 419 million records, including phone numbers and user IDs, were scraped from Facebook and stored in a database that was just sitting online accessible to anyone who might like to peruse it. More than 130 million of those compromised by the discovery were American users. Another 18 million were UK users. A whopping 50 million hailed from Vietnam. 

Facebook later claimed about half that number were affected, or 220 million records. 

The information is at least a year old, which was when Facebook stopped allowing developers to have user phone numbers. So, we can call this a Facebook privacy facepalm legacy attack. It’s a sad state of Facebook privacy news fatigue that the urge is so strong to create privacy fail sub-categories—but there you have it. Introducing the legacy fail. 

Why It Matters

Some of the information out there was granular enough to allow a variety of scams, but the most serious is SIM-card swapping scams, where a criminal, armed with enough information about you, and most crucially your phone number, arranges to have your number moved to a phone in the criminal’s possession. 

Once the number has been transferred, the criminal has control of any accounts that are identified by caller ID (including many financial institutions) as well as any accounts protected by two-factor authentication. It is believed this was the method used to recently hack Jack Dempsey’s Twitter account. 

What You Can Do

Assume that you are a target, and tighten your protections. Your phone provider will have tips on the best practices to avoid SIM-card attacks, and common sense can be your guide regarding any unexpected phone calls, and practice the Three Ms:

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.

Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laid back approach, see No. 5 above.

Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The post Expect More Spam Calls and SIM-Card Scams: 400 Million Phone Numbers Exposed appeared first on Adam Levin.