Stolen user information from 16 popular apps and services including Dubsmash and MyFitnessPal is now being sold on the dark web, according to a report from The Register. A seller on the dark web marketplace Dream Market has come forward offering login details for more than 617 million accounts for just under $20,000, to be paid in Bitcoin.
Source: The Register
As if there weren't enough safety concerns surrounding electric scooters, here's a new one. Researchers at mobile security firm Zimperium discovered a bug in the Xiaomi M365 scooter that allows a hacker to remotely access the device. Once the have taken over, the attacker can make the scooter accelerate or brake without the rider's input.
The US government plans to turn the tables on North Korea-linked hackers trying to compromise key infrastructure. The Justice Department has unveiled an initiative to map the Joanap botnet and "further disrupt" it by alerting victims. The FBI and the Air Force Office of Special Investigations are running servers imitating peers on the botnet, giving them a peek at both technical and "limited" identifying info for other infected PCs. From there, they can map the botnet and send notifications through internet providers and foreign governments -- they'll even send personal notifications to people who don't have a router or firewall protecting their systems.
Source: Department of Justice
A number of German politicians have been the target of a massive data leak, one that contains extensive amounts of information. The data in question includes email addresses, private correspondence, passwords, phone numbers, work emails and photos, among other information, and those affected reportedly include journalists and celebrities as well as politicians. According to multiple reports, the data was leaked from the Twitter account @_0rbit -- which has since been suspended -- and the account began sharing the stolen information in December.
Marriott has good news and bad news for travelers who have passed through its hotels. The good news is the data breach disclosed back in November, which was originally believed to have exposed the data of more than 500 million people, affected fewer travelers than originally reported (though it didn't specify how many). The bad news is the data lifted from the company included millions of peoples' passport numbers.
Via: Wall Street Journal
As much progress as Twitter has made kicking terrorists off its platform, it still has a long way to go. TechCrunch has learned that ISIS supporters are hijacking long-dormant Twitter accounts to promote their ideology. Security researcher WauchulaGhost found that the extremists were using a years-old trick to get in. Many of these idle accounts used email addresses that either expired or never existed, often with names identical to their Twitter handles -- the social site didn't confirm email addresses for roughly a decade, making it possible to use the service without a valid inbox. As Twitter only partly masks those addresses, it's easy to create those missing addresses and reset those passwords.
The hackers who stole Orange is the New Black are back, and they've hit a new low. The group known as TheDarkOverlord claims to have stolen 18,000 documents from Hiscox Syndicates, Lloyds of London and Silverstein Properties, and threatened to release files providing "answers" for 9/11 attack "conspiracies" unless it received a ransom. A Hiscox spokesperson confirmed the hack to Motherboard and indicated that this was likely insurance data tied to litigation involving the terrorist campaign.
Hackers just caused grief for North Korean defectors. South Korea's Unification Ministry has revealed that attackers stole the personal data of 997 defectors, including their names and addresses. The breach came after a staff member at the Hana Foundation, which helps settle northerners, unwittingly opened email with malware. The defectors' data is normally supposed to be isolated from the internet and encrypted, but the unnamed staffer didn't follow those rules, officials said.
Source: Wall Street Journal
Biometric security has moved beyond just fingerprints and face recognition to vein-based authentication. Unfortunately, hackers have already figured out a way to crack that, too. According to Motherboard, security researchers at the Chaos Communication Congress hacking conference in Leipzig, Germany showed a model wax hand that they used to defeat a vein authentication system using a wax model hand.
Chinese hackers have been targeting US Navy contractors, and were reportedly successful on several occasions over the last 18 months. The infiltrators stole information including missile plans and ship maintenance data, according to a Wall Street Journal report that cites officials and security experts.
Source: Wall Street Journal
The Republican Party's House campaign committee said it was a victim of "cyber intrusion" during the 2018 midterm campaign. Party officials told Politico that "thousands of sensitive emails" were stolen in the National Republican Congressional Committee hack. The party has reported the incident to the FBI.
Via: Associated Press
Over the course of this week, some printers have been printing out a strange message asking people to subscribe to PewDiePie's YouTube channel. The message appears to be the result of a simple exploit that allows printers to receive data over the internet, including print commands. A person with the online handle TheHackerGiraffe has claimed responsibility for the attack.
Via: The Verge
Earlier this month, hackers attempted to breach Dell's network and obtain customer information, according to the company. While it says there's no conclusive evidence the hackers were successful in their November 9th attack, it's still possible they obtained some data.
Via: The Verge
Police in Bulgaria have arrested an alleged Russian hacker who may be responsible for a huge Android ad scam that netted $10 million. The individual identified as Alexander Zhukov is a Saint Petersburg native who's been living in Varna, Bulgaria, since 2010 and was apprehended on November 6th after the US issued an international warrant for his arrest, according to ZDNet.
The Centers for Medicare and Medicaid Services (CMS) now has details about the data stolen in the breach of Healthcare.gov that occurred last month. According to the government agency, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised in the breach. No financial information was stolen.
The Justice Department has charged ten Chinese nationals -- two of which are intelligence officers -- of hacking into and stealing intellectual property from a pair of unnamed US and French companies between January 2015 to at least May of 2015. The hackers were after a type of turbofan (portmanteau of turbine and fan), a large commercial airline engine, to either circumvent its own development costs or avoid having to buy it. According to the complaint by the Department of Justice, a Chinese aerospace manufacturer was simultaneously working on making a comparable engine. The hack afflicted unnamed aerospace companies located in Arizona, Massachusetts and Oregon.
Via: ZD Net
Source: US Department of Justice
The hackers who were responsible for the Uber data breach that affected 57 million users around the world have been indicted... for another hack altogether, according to TechCrunch. Canadian citizen Vasile Mereacre and Florida resident Brandon Glover have been indicted for stealing account information from LinkedIn training site Lynda.com, but a TechCrunch source said they were also behind the massive Uber breach back in 2016. If true, then they got caught for a much smaller scheme: the Lynda cyberattack only compromised 55,000 accounts.
Cathay Pacific, the primary airline of Hong Kong known for its high-speed WiFi, was hit with a major data breach that affects up to 9.4 million passengers. The company said that personal information including passport numbers, identity card numbers, credit card numbers, frequent flyer membership program numbers, customer service comments and travel history had been compromised. No passwords were compromised, which may not be any consolation.
Via: The Guardian
Source: Cathay Pacific
Dan Coats, the US director of national intelligence, said there's "no evidence" that Chinese spies tampered with servers bought by up to 30 companies, including the likes of Apple and a telecom provider, as Bloomberg reported earlier this month. However, he told Cyberscoop that "we're not taking anything for granted. We haven't seen anything, but we're always watching."
Via: The Verge
Earlier this month, Bloomberg reported that San Jose-based server company Super Micro installed surveillance micro-chips in the Chinese data center hardware of up to 30 companies, including Amazon and Apple. These chips were supposedly used to steal intellectual property. However, all companies that were named in the initial report have denied Bloomberg's claims. Now, Apple CEO Tim Cook is calling on the well-reputed publication to retract its story altogether, according to BuzzFeed News.
Source: BuzzFeed News
Facebook couldn't have picked a worse time to introduce Portal, a camera-equipped smart display designed to make video chatting in your home easier. And, if the rumors are true, the company is reportedly also preparing to launch a video chat camera for your TV, based on the same system as Portal. Not only does news of this hardware come at a time when when Facebook is under major scrutiny after suffering a massive data breach in September, which exposed private information of 29 million users, including usernames, birth date, gender, location, religion and the devices used to browse the site. But the most concerning part about Portal, is that Facebook's own executives don't seem to have a basic understanding of what types of data the company will be collecting or what it will be using it for.
The Pentagon still has to grapple with data security woes despite efforts to harden its sites and networks. Defense Department officials have revealed that a travel record data breach at an unnamed contractor exposed the personal info of military and civilian staffers, including credit cards. An AP source said that this didn't compromise classified material, but it affected "as many as" 30,000 workers. There's a chance that number might get larger, according to the source.
Source: AP News
According to cybersecurity firm Palo Alto Networks, it discovered a fake Flash updater that has been duping conscientious computer users since August. The fake updater installs files to sneak a cryptocurrency mining bot called XMRig, which mines for Monero.
But here's the catch, while the fake updater is installing the XMRig malware, it's also updating the user's Flash.
Via: The Next Web
Source: Palo Alto Networks