Search Results for “TechCrunch”

September 4, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Exposed Server Found Online Containing More Than 419 Million Phone Numbers Linked to Facebook Accounts

An exposed server containing more than 419 million records of phone numbers linked to Facebook accounts was found online by Sanyam Jain, a security researcher and member of the GDI Foundation. Included in the hundreds of millions of records were 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. Each record contained a user’s unique Facebook ID and the phone number listed on the account, with some of the records also including the user’s name, gender, and location by country. After Jain and TechCrunch were unable to locate the server’s owner, they contacted the web host and the database was pulled offline.

Related: The Hill: Cybersecurity, Apple Insider, MacDailyNews, Cyber Kendra, The Mac Observer, Tech Insider, MacRumors, Fortune, Futurism,CNET, Japan Today,, The Sun, RT News, Techradar, NDTV, The Guardian, TechSpot, Slashdot

The Hill: Cybersecurity: Report: Millions of Facebook users’ phone numbers found in unsecured database
Apple Insider : Phone numbers of nearly 420M Facebook users exposed online
MacDailyNews: Hundreds of millions of phone numbers from Facebook accounts leaked online
Cyber Kendra: Millions of Facebook Users Phone Number Leaked Online
The Mac Observer: Password-Less Sever Leaked Facebook IDs and Phone Numbers
Tech Insider: Phone numbers for as many as 419 million Facebook users were reportedly found sitting online in a file where anybody could have found them (FB)
MacRumors: Hundreds of Millions of Phone Numbers From Facebook Accounts Leaked Online
Fortune: Facebook and Google Met With U.S. Intelligence About Online Security for the 2020 Presidential Election
Futurism: Phone Numbers of 400M Facebook Users Were Publicly Available
CNET: Facebook users’ phone numbers exposed online
Japan Today: 400 mil Facebook users’ phone numbers exposed in privacy lapse: reports Over 400M Facebook Users’ Records Exposed Online
The Sun: Huge Facebook leak reveals phone numbers of 400MILLION users – including Brits
RT News: Facebook privacy breach: Hundreds of millions of users’ phone numbers exposed
Techradar: Over 400 million Facebook users’ phone numbers exposed online
NDTV Facebook Users’ Phone Numbers Exposed in Online Database, Nearly Half a Billion of Them: Report
The Guardian: Facebook confirms 419m users’ phone numbers exposed in latest privacy lapse
TechSpot: Facebook security breach exposed the phone numbers of over 400 million users
Slashdot: Senator: Mark Zuckerberg Should Face ‘the Possibility of a Prison Term’

August 4, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Breach at Fashion, Sneaker Trading Platform StockX Exposes Millions of Customers’ Data, Company Initially Portrayed Customer Password Resets as ‘System Updates’

Fashion and sneaker trading platform StockX pushed out a password reset email to its users on Thursday citing “system updates” but was instead dealing with the aftermath of a data breach after a hacker stole purportedly more than 6.8 million records in May and sold them for $300 to at least one buyer. The hacker provided TechCrunch with a 1,000 sample stolen records and every person contacted confirmed the data as accurate. The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information such as shoe size and trading currency. After TechCrunch posted a story on the breach, StockX posted a statement confirming the breach.

August 20, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Unprotected MoviePass Database Exposed Nearly 60,000 Customer Records That Featured Customer Card Numbers, Plus Personal Credit Card Data and Billing Information

Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards on a critical, passwordless server, Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, discovered. Issued by Mastercard, MoviePass customer cards store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. The exposed database had more than 58,000 records containing card data. The database also included customers’ personal credit card numbers and their expiry date along with billing information, including names and postal addresses. Although Hussein contacted the company CEO about the exposure via email, MoviePass took down the database only after TechCrunch contacted the company.

Related: CNET News, SlashGear » security, iMore, TechCrunch, TechnoBuffalo, The Verge, Tech Insider, MacRumors


August 9, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
‘Kinky, Open-Minded’ Sex App 3Fun Exposes Users’ Personal Data, Real-Time Locations, Profiles of Users at White House and CIA Identified

More than 1.5 million users of dating site, 3Fun,  which bills itself as a “private space” where you can meet “local kinky, open-minded people,” have had their personal data exposed, including their real-time location, because of a vulnerability in the app, according to Pen Test Partners’ researchers. The researchers found they could plug in any coordinates they wanted to spoof their location, revealing sensitive information on anyone within any location of their choosing, including government buildings, military bases, and even intelligence agencies. TechCrunch ran the same tests and discovered profiles of users at the White House and the CIA. The data revealed included sexual orientation, preferred matches, age, username, and their partner’s username, bios and full-resolution profile pictures. 3Fun did not respond for comment.

Related: Pen Test Partners, Daily Mail, The Verge

Tweets:@DefTechPat @TroyHunt

July 28, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Bellingcat Researchers Investigating Activities of Russian Government Targeted by Phishing Attacks on ProtonMail Accounts

Investigative news site Bellingcat has confirmed several of its researchers who work on projects related to activities by the Russian government were targeted by an attempted but failed phishing attack on their ProtonMail accounts. The researchers were targeted by a phishing email purportedly from ProtonMail itself which asked users to change their email account passwords or generate new encryption keys through a similarly-named domain set up by the attackers. The attackers tried to exploit a little-known unpatched flaw in third-party software used by ProtonMail, which has yet to be fixed or disclosed by the software maker. The targeted Bellingcat researchers worked on the ongoing investigation into the downing of flight MH17 by Russian forces and the use of a nerve agent in a targeted killing in the U.K.

Related: Forbes, TechCrunch, Proton Mail, Radio Free Europe/Radio Liberty, The Times of Israel, ThreatConnect, Digital Journal, Channel News Asia IB Times, RAPPLER, Kyiv Post, News Agency UNIAN, Crime Russia


September 18, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Documents Discovered on Nokia Network Employee’s Unprotected Drive Offer Details on Russia’s ‘Lawful Intercept’ Phone and Internet Capabilities

Documents found on an unprotected backup drive owned by an employee of Nokia Networks offer new insight into the scope and scale of the Russian surveillance system known as SORM (Russian: COPM) and how Russian authorities gain access to the calls, messages, and data of customers of the country’s largest phone provider, Mobile TeleSystems (MTS), Chris Vickery, director of cyber risk research at security firm UpGuard, discovered. The documents, nearly two terabytes in size, reveal Nokia’s involvement in providing “lawful intercept” capabilities to phone and internet providers, which Russia mandates by law. They also spell out how, between 2016 and 2017, Nokia planned and proposed changes to MTS’s network as part of the telecom giant’s “modernization” effort. The documents discovered by Vickery include several floor plans, photos and network diagrams for the local phone exchanges. One set of documents show how “modernized” SORM capabilities on MTS’s network also allow the government access to the telecom’s home location register (HLR) database, which contains records on each subscriber allowed to use the cell network, including their international mobile subscriber identity (IMSI) and SIM card details. Vickery informed Nokia of the exposure and the company closed the hole four days later.

Related: Upguard, TechradarGizmodo, Boing Boing

Tweets:@profcarroll @vickerysec @zackwhittaker @zackwhittaker

August 7, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
‘Warshipping’ Technique Allows Attackers to Ship Devices in the Mail Capable of Attacking Target’s Wireless Access

The newly named technique of “warshipping,” which uses disposable, low cost and low power computers shipped via mail to remotely perform close-proximity attacks regardless of the cyber criminal’s location, is an effective way to gain access to a target’s network, according to IBM’s X-Force Red. The researchers developed a proof-of-concept device they call the warship, a unit similar in similar size to a small phone and dropped it off in the mail. The warship was equipped with a 3G-enabled modem, allowing it to be remotely controlled so long as it had cell service. Once the warship arrived at the target destination, the X-Force Red team was able to remotely control the system and run tools to either passively, or actively, attack the target’s wireless access.

September 5, 2019
Ron Miller / TechCrunch

Ron Miller / TechCrunch  
Palo Alto Networks to Buy IoT Security Start-Up Zingbox for $75 Million

Cybersecurity giant Palo Alto Networks announced its intent to acquire IoT security startup Zingbox for $75 million. Founded in 2014, Zingbox brings to Palo Alto a modern cloud-based solution built on a subscription model along with engineering talent to help build out the solution further. The company’s three co-founders, Xu Zou, May Wang, and Jianlin Zeng, will be joining Palo Alto.

August 6, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Democratic Senatorial Campaign Committee Leaked Email Addresses of 6.2 Million Americans on Exposed Server

The Democratic Senatorial Campaign Committee (DSCC), an organization that seeks to elect Democratic candidates to the U.S. Senate, left on an exposed server a spreadsheet containing the email addresses of 6.2 million Americans researchers at Upguard discovered. Upguard found the data in late-July and traced the storage bucket back to a former staffer. The data might reflect people “who had opted out or should otherwise be excluded” from the committee’s marketing. After being contacted by Upguard, the DSCC secured the server immediately.

August 15, 2019
Natasha Lomas / TechCrunch

Natasha Lomas / TechCrunch  
WebKit Publishes New Tracking Prevention Policy That Cracks Down on Malicious Web Tracking Practices, Clamps Down on Those Who Violate It

WebKit, the open-source engine that underpins Internet browsers including Apple’s Safari browser, published its new tracking prevention policy, that spells out the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them. Technologies such as tracking pixels, browser and device fingerprinting and navigational tracking, among others, are deployed by an unregulated digital adtech industry and can be used to violate users’ privacy as well as serve as vehicles for injecting malware. WebKit also said it’s going to treat attempts to circumvent its policy as akin to malicious hack attacks to be responded to in kind; i.e. with privacy patches and fresh technical measures to prevent tracking.