An Astonishing 773 Million Records Exposed in Monster Breach

There are breaches, and there are megabreaches, and there’s Equifax. But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 million unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.

The data set was first reported by security researcher Troy Hunt, who maintains Have I Been Pwned, a way to search whether your own email or password has been compromised by a breach at any point. (Trick question: It has.) The so-called Collection #1 is the largest breach in Hunt’s menagerie, and it’s not particularly close.

The Hack

If anything, the above numbers belie the real volume of the breach, as they reflect Hunt’s effort to clean up the data set to account for duplicates and to strip out unusable bits. In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords.

The trove appeared briefly on MEGA, the cloud service, [...]  read more

Facebook’s ’10 Year Challenge’ Is Just a Harmless Meme—Right?

If you use social media, you’ve probably noticed a trend across Facebook, Instagram, and Twitter of people posting their then-and-now profile pictures, mostly from 10 years ago and this year.

Instead of joining in, I posted the following semi-sarcastic tweet:

<

p class=”paywall”>My flippant tweet began to pick up traction. My intent wasn’t to claim that the meme is inherently dangerous. But I knew the facial recognition scenario was broadly plausible and indicative of a trend that people should be aware of. It’s worth considering the depth and breadth of the personal data we share without reservations.

Of those who were critical of my thesis, many argued that the pictures were already available anyway. The most common rebuttal was: “That data is already available. Facebook’s already got all the profile pictures.”

Of course they do. In various versions of the meme, people were instructed to post their first profile picture alongside [...]  read more

Ring Security Cam Snooping, Location Tracking, and More Security News This Week

Another week, another crypto heist. This time, Ethereum Classic was the target, when hackers stole around $1.1 million worth of coins by taking over 51-percent of the currency’s network.

Another familiar blunder came this week when it was revealed that technologically challenged convicted criminal Paul Manafort had yet another problem using basic tech. This time, he and his lawyers failed to appropriately redact documents sent to the court, unwittingly revealing that special counsel Robert Mueller believes Manafort shared 2016 polling data with a known Russian spy during the campaign.

Speaking of Mueller, Garrett Graff lays out his to-do list for 2019.

Terrorists are using niche chat apps meant for gamers and business people. Your old tweets gave away a lot more location data than you thought. Carriers keep [...]  read more

A Worldwide Hacking Spree Uses DNS Trickery to Nab Data

Iranian hackers have been busy lately, ramping up an array of targeted attacks across the Middle East and abroad. And a report this week from the threat intelligence firm FireEye details a massive global data-snatching campaign, carried out over the last two years, that the firm has preliminarily linked to Iran.

Using a classic tactic to undermine data security as it moves across the web, hackers have grabbed sensitive data like login credentials and business details from telecoms, internet service providers, government organizations, and other institutions in the Middle East, North Africa, Europe, and North America. FireEye researchers say the targets and types of data stolen are consistent with Iranian government espionage interests—and that whoever is behind the massive assault now has a trove of data that could fuel future cyberattacks for years.

“It’s consistent with what we’ve seen Iran do before and the signs point there, but we just wanted to get this out [...]  read more

Your Old Tweets Give Away More Location Data Than You Think

An international group of researchers has developed an algorithmic tool that uses Twitter to automatically predict exactly where you live in a matter of minutes, with more than 90 percent accuracy. It can also predict where you work, where you pray, and other information you might rather keep private, like, say, whether you’ve frequented a certain strip club or gone to rehab.

The tool, called LPAuditor (short for Location Privacy Auditor), exploits what the researchers call an “invasive policy” Twitter deployed after it introduced the ability to tag tweets with a location in 2009. For years, users who chose to geotag tweets with any location, even something as geographically broad as “New York City,” also automatically gave their precise GPS coordinates. Users wouldn’t see the coordinates displayed on Twitter. Nor would their followers. But the GPS information would still be included in the tweet’s metadata and accessible through Twitter’s API.

Twitter [...]  read more

Carriers Swore They’d Stop Selling Location Data. Will They Ever?

Location data is some of the most sensitive, and sought after, information that smartphones generate. And wireless providers are in a unique position to access it all the time. But a Tuesday report from Motherboard shows that carriers don’t protect this deeply private information as carefully as consumers might think—especially considering that Verizon, T-Mobile, Sprint, and AT&T all pledged to stop selling it months ago.

Last May, US carriers were caught selling customer location data to all manner of third parties, from legitimate services like roadside assistance groups to data brokers who could resell the information to virtually anyone. It exposed a shadow economy, where your location information ends up in the hands of countless companies you’ve never heard of.

Amid the ensuing customer outrage and mounting congressional scrutiny, the major US carriers promised to stop selling user location data to outside brokers. Which is part of what makes  [...]  read more

A Growing Frontier for Terrorist Groups: Unsuspecting Chat Apps

Heads up, tech companies: If your product appeals to the masses, it likely also holds allure for terrorist groups like ISIS.

WIRED OPINION

ABOUT

Rita Katz is the Executive Director and founder of the SITE Intelligence Group, the world’s leading non-governmental counterterrorism organization specializing in tracking and analyzing the online activity of the global extremist community.

ISIS has effectively exploited the power of technology to fuel its rise around the globe, from streaming and file-sharing platforms to messenger applications and social media services. Many tech companies have responded in turn, strengthening their oversight and security measures. But while major platforms like Facebook, Twitter, YouTube, and Telegram are becoming increasingly inhospitable to ISIS, the group’s reach is growing on lesser-known messenger apps designed for businesses and gamers.

In the aftermath of major territory losses in Iraq and Syria, ISIS is reconfiguring how it uses technology to drive [...]  read more

Paul Manafort Is Bad at Basic Tech, From Passwords to PDFs

Paul Manafort has a horrible track record when it comes to digital security. The latest reminder came this week, when his defense lawyers failed to sufficiently redact portions of a court filing submitted on Tuesday, responding to Robert Mueller’s claims that Manafort violated his plea agreement with the special counsel by lying to prosecutors. The redacted portions of the filing are “hidden” by black bars but can easily be revealed by simply highlighting those bars and copying and pasting the text into a new document. (The error is especially troubling given that it’s relatively easy to properly redact documents, though lawyers in high-profile corporate and even government cases have made similar mistakes in recent years.)

In this redacting fail, Manafort’s lawyers revealed that Mueller alleges the former Trump campaign chair shared polling data “related to the 2016 presidential campaign” with Konstantin Kilimnik, a political consultant the FBI says is connected to Russian [...]  read more

Mueller Investigation 2019: Indictments, Witnesses, and More

Last Friday, just like Punxsutawney Phil, DC District Court judge Beryl Howell emerged from her chambers, saw her shadow, and announced six more months of Bob Mueller. Judge Howell’s extension of Mueller’s grand jury, which was set to expire over the weekend, was widely expected—the special counsel’s office has made clear in recent weeks that it has plenty of unfinished business—but the extension underscores just how much work is still left in Mueller’s probe.

In fact, surveying the 2019 landscape anew after a flurry of near-daily investigation revelations in the month following Thanksgiving makes clear that Mueller’s investigation has a packed agenda still ahead (not to mention a final report to write). Here are some of the loose threads and unanswered questions that seem most likely to be topping Mueller’s to-do list as January begins:

What happens to Jerome Corsi?

One of the most intriguing pieces of unfinished business from Mueller’s Thanksgiving flurry was the aborted plea agreement with conspiracy theorist and would-be Wikileaks intermediary Jerome Corsi. Mueller clearly believes that Corsi lied to investigators about his knowledge or role in Wikileaks’ publishing of emails and documents stolen from Democratic officials [...]  read more

The Elite Intel Team Still Fighting Meltdown and Spectre

A year ago today, Intel coordinated with a web of academic and independent researchers to disclose a pair of security vulnerabilities with unprecedented impact. Since then, a core Intel hacking team has worked to help clean up the mess—by creating attacks of their own.

Known as Spectre and Meltdown, the two original flaws—both related to weaknesses in how processors manage data to maximize efficiency—not only affected generations of products that use chips from leading manufacturers like Intel, AMD, and ARM, but offered no ready fix. The software stopgaps Intel and others did roll out caused a slew of performance issues.

On top of all of this, Meltdown and particularly Spectre revealed fundamental security weaknesses in how chips have been designed for over two decades. Throughout 2018, researchers inside and outside Intel continued to find exploitable weaknesses related to this class of “speculative execution” vulnerabilities. Fixing many of them takes [...]  read more