Equifax said that an additional 2.4 million Americans have been impacted by a 2017 data breach, bringing the total of those implicated to around 148 million people.
You might expect that the Internal Revenue Service (IRS) of the US would be worried that the recent Equifax data breach would set off an avalanche of fraudulent tax filings. They aren’t. In fact, they believe a “significant” number of the estimated 145 million victims of the Equifax breach have already had their private data […]
Recently Oath, owner of Yahoo, and a subsidiary of Verizon revealed that the biggest known cyber data breach ever recorded in the history of humankind was larger than Yahoo initially announced. As you may remember back in 2013 Yahoo suffered a cyber-attack – approximately one billion accounts were affected. Even though that it took Yahoo more than two full years to release the information about the data breach to the public, further investigation by the current owners confirmed that the incident was on a much larger scale. A few days ago, the current owners of Yahoo distributed a notice stating that every single Yahoo account might have been compromised during this very same attack. The total amount of user accounts that Yahoo had at the time was around the three billion mark.
The news is a significant blowback for Verizon as they might have been able to negotiate a better deal when acquiring Yahoo should they knew that the cyber-attack had affected every customer, instead of the initially announced one-third of the accounts. In the notice released earlier today, Chandra McMahon, Chief Information Security Officer at Verizon said;
“Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon’s experience and resources.”
The good news is that this is not a new security issue, Yahoo and Verizon claim that they have done everything possible to secure the accounts of its current users.
Yahoo is currently sending email notifications to the additional affected user accounts. The forensic experts hired by Verizon highlighted the fact that the compromised data is not known to contain passwords in clear texts, nor any banking information such as credit card numbers and bank account details. However, the investigation is still considered as an ongoing matter.
If you are worried that you may be amongst the affected ones, and you hadn’t taken any precautions when the breach was initially reported, check out our top 5 things you should do immediately.
The post All Yahoo Accounts Compromised in the 2013 Yahoo Data Breach appeared first on Panda Security Mediacenter.
Yahoo on Tuesday released an update to its 2013 breach, notifying users that all 3 billion accounts in existence at the time were compromised.
It’s been two years since one of the most notorious cyber-attacks in history; however, the controversy surrounding Ashley Madison, the online dating service for extramarital affairs, is far from forgotten. Just to refresh your memory, Ashley Madison suffered a massive security breach in 2015 that exposed over 300 GB of user data, including users’ real names, banking data, credit card transactions, secret sexual fantasies… A user’s worst nightmare, imagine having your most private information available over the Internet. However, the consequences of the attack were much worse than anyone thought. Ashley Madison went from being a sleazy site of questionable taste to becoming the perfect example of security management malpractice.
Hacktivism as an excuse
Following the Ashley Madison attack, hacking group ‘The Impact Team’ sent a message to the site’s owners threatening them and criticizing the company’s bad faith. However, the site didn’t give in to the hackers’ demands and these responded by releasing the personal details of thousands of users. They justified their actions on the grounds that Ashley Madison lied to users and didn’t protect their data properly. For example, Ashley Madison claimed that users could have their personal accounts completely deleted for $19. However, this was not the case, according to The Impact Team. Another promise Ashley Madison never kept, according to the hackers, was that of deleting sensitive credit card information. Purchase details were not removed, and included users’ real names and addresses.
These were some of the reasons why the hacking group decided to ‘punish’ the company. A punishment that has cost Ashley Madison nearly $30 million in fines, improved security measures and damages.
Ongoing and costly consequences
Despite the time passed since the attack and the implementation of the necessary security measures by Ashley Madison, many users complain that they continue to be extorted and threatened to this day. Groups unrelated to The Impact Team have continued to run blackmail campaigns demanding payment of $500 to $2,000 for not sending the information stolen from Ashley Madison to family members. And the company’s investigation and security strengthening efforts continue to this day. Not only have they cost Ashley Madison tens of millions of dollars, but also resulted in an investigation by the U.S. Federal Trade Commission, an institution that enforces strict and costly security measures to keep user data private.
What can be done in your company?
Even though there are many unknowns about the hack, analysts were able to draw some important conclusions that should be taken into account by any company that stores sensitive information.
· Strong passwords are extremely important
As was revealed after the attack, and despite most of the Ashley Madison passwords were protected with the Bcrypt hashing algorithm, a subset of at least 15 million passwords were hashed with the MD5 algorithm, which is very vulnerable to bruteforce attacks. This probably is a reminiscence of the way the Ashley Madison network evolved over time. This teaches us an important lesson: No matter how hard it is, organizations must use all means necessary to make sure they don’t make such blatant security mistakes. The analysts’ investigation also revealed that several million Ashley Madison passwords were very weak, which reminds us of the need to educate users regarding good security practices.
· To delete means to delete
Probably, one of the most controversial aspects of the whole Ashley Madison affair is that of the deletion of information. Hackers exposed a huge amount of data which supposedly had been deleted. Despite Ruby Life Inc, the company behind Ashley Madison, claimed that the hacking group had been stealing information for a long period of time, the truth is that much of the information leaked did not match the dates described. Every company must take into account one of the most important factors in personal information management: the permanent and irretrievable deletion of data.
· Ensuring proper security is an ongoing obligation
Regarding user credentials, the need for organizations to maintain impeccable security protocols and practices is evident. Ashley Madison’s use of the MD5 hash protocol to protect users’ passwords was clearly an error, however, this is not the only mistake they made. As revealed by the subsequent audit, the entire platform suffered from serious security problems that had not been resolved as they were the result of the work done by a previous development team. Another aspect to consider is that of insider threats. Internal users can cause irreparable harm, and the only way to prevent that is to implement strict protocols to log, monitor and audit employee actions.
It is an ongoing effort to ensure the security of an organization, and no company should ever lose sight of the importance of keeping their entire system secure. Because doing so can have unexpected and very, very expensive consequences.
The post A dating site and corporate cyber-security lessons to be learned appeared first on Panda Security Mediacenter.
Thousands of resumes and job applications from U.S. military veterans, law enforcement, and others were leaked by a recruiting vendor in an unsecured AWS S3 bucket.
Personal and business data belonging to Boston area meeting and hotel booking provider Groupize was discovered in a publicly accessible Amazon Web Services S3 bucket, which has since been locked down.
You’re looking for the one, the unbeatable password? Well, security expert Troy Hunt does have a few hundred million available – that you should try and stay away from. Troy Hunt is best known for the service he offers on haveibeenpwned.com: a search that allows you to see if your email address was compromised by a data […]
Data belonging to 14 million Verizon customers was exposed by a partner, which misconfigured a repository storing the personal information it had access to.