Search Results for “Zack Whittaker”


July 29, 2019
Emily Flitter and Karen Weise / New York Times

Emily Flitter and Karen Weise / New York Times  
Firewall Misconfiguration by Capital One Allowed Hacker to Steal Millions of Credit Applications, Social Security and Bank Account Numbers Affecting More Than 100 Million People in North America

In one of the largest cases of bank data theft ever, software engineer Paige Thompson hacked into a server holding customer information for Capital One, exploiting a firewall misconfiguration in the bank’s network to steal millions of credit card applications, federal prosecutors say. Thompson, who used the online handle “erratic” was the organizer of a group on Meetup, a social network, called Seattle Warez Kiddies, described as a gathering for “anybody with an appreciation for distributed systems, programming, hacking, cracking.” The F.B.I. noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and the Slack messaging service. Thompson stole 140,000 U.S. Social Security numbers and 77,000 bank account numbers, along with one million Canadian social insurance numbers affecting more than 100 million people in the United States and Canada. A“firewall misconfiguration” by the bank had allowed Ms. Thompson to communicate with the server where Capital One was storing its information and, eventually, gain access to customer files, an FBI agent investigating the case said in court documents. Ms. Thompson worked as a systems engineer at Amazon from 2015 to 2016.

Related: CNN, Reuters, Associated Press, Axios, CNBC, NBC News, Politico, Capital One, The Register, Bloomberg, Washington Post, TechCrunch, TechCrunch, Wired, Justice.gov, Ars Technica, CNET, Wall Street Journal, The Verge, The Hill, Venture Beat, Law360, Reuters, Daily Mail,DataBreachToday.com, BGR, USATODAY, Business Insider, The Daily Swig, Newsweek, Financial Times, CRN, CRN, UPI.comDataBreaches.net, SecurityWeek, MobileSyrup.com, BetaNews, The Verge, GBHackers On Security, SlashGear » security, E-Commerce Times, CNN.com, PCMag.com, The VergeEvening Standard, EngadgetMarketWatch.com – Software Industry News, TechSpot, Digital Trends, Neowin, Fast Company, Mother Jones, New York Daily News, New on MIT Technology Review, FOX News, The Hacker News, Help Net Security, CBSNews.com, Fortune, Technology News | Boston.com, SecurityWeek, The Huffington Post, Cyberscoop, IT World Canada, ARN, The Guardian, Digital Trends, The Next Web,  Android Central , GeekWire, SC Magazine, Techerati, SlashdotABC News: U.S., Graham Cluley, Japan Times,Security Affairs, Cyber Kendra, PYMNTS.com, Heavy.com, Computer Business Review, TechNadu, Silicon Republic, Infosecurity Magazine, The State of Security, DataBreaches.netGadgets Now, Courthouse News Service, BBC News – WorldBleepingComputer.comITV News, RT USA, AOL, New York Post, EJ Insight, Mercury News, TODAYonline, CBC , Deutsche Welle, Gizmodo, News : NPR, POLITICO, Gizmodo, Daily BeastGeekWire

Tweets:@zackwhittaker @briankrebs @cnbcnow @gregotto @yoda @RepKatiePorter @zackwhittaker @Wired @BleepingComputer @kimzetter @dnvolz @BleepingComputer @McGrewSecurity @weldpond @h0tdish @hacks4pancakes @RayRedacted @catcalvinla @malwarejake @somanyshrimp @TorresLuzardo

CNN: A hacker gained access to 100 million Capital One credit card applications and accounts
Reuters: Capital One reveals 100M affected by data breach, hacker arrested
Associated Press: Capital One says hacker gained access to personal information of more than 100 million people
Axios: 100 million credit card applications stolen from Capital One
CNBC: Capital One data breach exposes tens of thousands of Social Security numbers, linked bank accounts
NBC News: Over 100 million credit card applicants at risk in Capital One breach, Seattle woman arrested
Politico: Capital One reveals historic data breach after FBI arrests Seattle suspect
Capital One: Capital One Announces Data Security Incident
The Register: Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants
Bloomberg: Capital One Says Breach Hit 100 Million Individuals in U.S.
Washington Post: Capital One says data breach affected 100 million credit card applications
TechCrunch: Capital One’s breach was inevitable, because we did nothing after Equifax
TechCrunch: Capital One hacked, over 100 million customers affected
Wired: THE ALLEGED CAPITAL ONE HACKER DIDN’T COVER HER TRACKS
Justice.gov: Seattle Tech Worker Arrested for Data Theft Involving Large Financial Services Company
Ars Technica: Feds: former cloud worker hacks into Capital One and takes data for 106 million people
CNET: Capital One data breach involves 100 million credit card applications
Wall Street Journal: Capital One Reports Data Breach Affecting 100 Million Customers, Applicants
The Verge: Massive Capital One breach exposes personal info of 100 million Americans
The Hill: Woman arrested, accused of hacking 100 million Capital One records
Venture Beat : Capital One announces hack affecting 106 million U.S. and Canadian customers
Law360: Capital One Says Breach Impacted 106M As Suspect Arrested – Law360
Daily Mail : Ex-tech worker arrested for Capital One hack after stealing data from 100 million customers
DataBreachToday.com: Woman Arrested in Massive Capital One Data Breach
BGR: Hacker steals data for more than 100 million Capital One users, then brags about it and gets arrested
USATODAY: Massive data breach hits Capital One affecting more than 100 million customers
Business Insider: Capital One data breach, affecting tens of millions
The Daily Swig: Millions affected by Capital One data breach
Newsweek: Capital One Data Breach: How to Know, and What You Should Do, If Your Account Has Been Compromised
Financial Times: Capital One reports massive data breach
CRN: Capital One Breach Exposed Data From 106M Credit Card Applicants, Users
UPI.com: Capital One data breach affects 100M credit card applicants
DataBreaches.net: Capital One says data breach affected 100 million credit card applications
SecurityWeek: CapitalOne Discloses Massive Data Breach: 106 Million Impacted
MobileSyrup.com: Capital One data breach could have affected six million Canadian bank accounts
BetaNews: Personal details of 106 million Americans and Canadians stolen in huge Capital One data breach
The Verge: Massive Capital One breach exposes personal info of 100 million Americans
GBHackers On Security: Capital One Hacked – Over 100 Million Credit Card Application Data Exposed
SlashGear » security: Capital One hack affects over 100 million people in the US and Canada
E-Commerce Times: Equifax Data Breach Settlement No Wrist Slap
CNN.com: Worried about the Capital One hack? Here’s what to do
PCMag.com: Capital One Suffers Data Breach Affecting 100 Million Customers
Evening Standard: Capital One data breach 2019: What to do if you have been affected
Engadget: Capital One data breach affected 100 million in the US
MarketWatch.com – Software Industry News: Everything you need to know about the massive Capital One hack, but were afraid to ask
TechSpot: Capital One hack exposed 100 million US customers’ personal details
Digital Trends: New Capital One data breach affects 100 million people. Here’s the very latest
Neowin: Over 100 million accounts compromised after Capital One data breach
Fast Company: Capital One data breach: what was stolen and how to find out if you are affected
Mother Jones: What’s In Your Wallet?
New York Daily News: Capital One hit with data breach affecting some 100 million U.S. customers
New on MIT Technology Review: A hacker stole the personal data of 100 million Capital One customers
FOX News: Capital One data breach exposes info of 106M customers, applicants; suspect arrested
The Hacker News: Capital One Data Breach Affects 106 Million Customers; Hacker Arrested
Help Net Security: Capital One breach: Info on 106 million customers compromised, hacker arrested
CBSNews.com: Capital One data breach hits more than 100 million people
CNBC: Capital One data breach exposes tens of thousands of Social Security numbers, linked bank accounts
Fortune: Hacker May Have Stole Info About Millions of Capital One Customers, U.S. Says
Technology News | Boston.com: Capital One target of massive data breach
SecurityWeek: Capital One Target of Massive Data Breach
The Huffington Post: Credit Card Company Reveals 100 Million People May Be Affected By Hack
Cyberscoop: Capital One announces massive data breach; lone suspect arrested in Seattle
IT World Canada: Six million Canadians impacted by Capital One data breach
ARN: Capital One: hacker gained access to personal information of over 100 million Americans
The Guardian: Capital One: hacker stole data of over 100m Americans
Ars Technica: Hacker ID’d as former Amazon employee steals data of 106 million people from Capital One
Axios: 100 million credit card applications were stolen from Capital One
The Next Web: Capital One data breach compromises 106 million customers’ personal data
Android Central : Capital One breach exposes personal details of over 100 million customers
SC Magazine: Capital One hacker who stole personal info on 100M arrested | SC Media
AP Breaking News: Capital One target of massive data breach
Techerati: Capital One breach affecting 106 million customers caused by misconfigured cloud storage
Slashdot: Capital One Says Hacker Breached Accounts of 100 Million People; Ex-Amazon Employee Arrested
ABC News: U.S.: Capital One target of massive data breach
Graham Cluley: Woman arrested after Capital One hack spills personal info on 106 million credit card applicants
Japan Times: Hacker accesses over 100 million Capital One credit applications in massive data breach
Zero Hedge: Capital One Admits Massive Data Breach: 100 Million Americans Affected, Seattle Woman Arrested
Security Affairs: Capital One data breach: hacker accessed details of 106M customers before its arrest
Cyber Kendra: Capital One Suffered Data Breach 106 Million People Affected
PYMNTS.com: Cap One Hack Hits 100M Credit Card Applications
Heavy.com: Paige Adele Thompson: 5 Fast Facts You Need to Know
Computer Business Review: Capital One Hacker was Ex-AWS Employee
TechNadu: Capital One Reports a Major Data Breach Affecting 106 Million Individuals in the USA & Canada
Infosecurity Magazine: Capital One Breached by Cloud Insider in Major Attack
Tech Insider: Amazon’s cloud was at the heart of the big Capital One hack, even though it doesn’t seem to be at fault (AMZN, COF)
The State of Security: Woman arrested after Capital One hack spills personal info on 106 million credit card applicants
DataBreaches.net: Capital One says data breach affected 100 million credit card applications
Gadgets Now: Capital One hacked, says information of 100 million-plus users leaked
Reuters: Capital One says information of over 100 million individuals in U.S., Canada hacked
BBC News – World: Capital One data breach: Arrest after details of 100m US individuals stolen
TIME: Capital One Information Hacked in Massive Data Breach
NDTV Gadgets360.com: Capital One Bank Targeted in Massive Data Breach
BleepingComputer.com: Capital One Data Breach Affects 106 Million People, Suspect Arrested
ITV News: 100 million applications targeted in Capital One bank data breach
RT USA: 100mn+ people’s data exposed in Capital One bank hack, thousands of SSNs & accounts leaked
AOL: Capital One: information of over 100 mln individuals in U.S., Canada hacked
New York Post: Capital One reveals 100M affected by data breach, hacker arrested
EJ Insight: Capital One data breach affects millions in US, Canada
Mercury News: Capital One: Hacker got info on 100M in the US, 6M in Canada
CBC : Hacker obtained personal information of 6 million people in Canada
Deutsche Welle: Capital One data theft: US arrests ‘erratic’ hacker
Gizmodo: Hacker Claims to Be in Possession of Personal Info on Up to 20,000 LAPD Applicants
The Register: Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants
POLITICO: Capital One reveals historic data breach after FBI arrests Seattle suspect
Daily Beast: Tens of Millions of Credit Card Applications Stolen in Capital One Breach
GeekWire: Seattle engineer arrested for Capital One hack that affected 100M people

@zackwhittaker: Wow. Capital One discloses massive data breach: 100M in US, 6M in Canada. One person in FBI custody. Credit files, applications, the lot. Hard to see this as anything other than Equifax 2.0. (link: http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043) press.capitalone.com/phoenix.zhtml?…
@briankrebs: Nice write up. Yes, this appears to be her resume. Worked at Amazon 2015-2016
@cnbcnow: BREAKING: Capital One says data breach has “affected approximately 100M individuals in the United States & approximately 6M in Canada” but “no credit card account numbers or log-in credentials were“ taken and “99% of Social Security numbers” weren’t stolen
@gregotto: According to the FBI, a firewall misconfiguration was partly responsible for allowing Thompson to access the Capital One cloud storage
@yoda: what kind of wordsmith fuckery is this???
@RepKatiePorter: One week *to the day* after Equifax announced its settlement terms. It’s clear corporations won’t clean up their acts on their own. We need to create an enforceable federal data privacy standard, so I’m drafting that bill.
@zackwhittaker: Incredible. Capital One's data breach site is titled "Facts." And yet it also pulls this bullshit by saying that no Social Security numbers were breached... except for all the Social Security numbers that were breached. Fuck you, Capital One.
@Wired: On Monday, the FBI and Capital One disclosed a data breach of 106 million credit card applications, one of the biggest breaches of a major financial institution ever. And now someone has been arrested in connection with the crime:
@BleepingComputer: The suspect allegedly posted about her accessing of Capital One's data on GitHub. A security researcher saw her post and contacted Capital One.
@kimzetter: This Capital One breach definitely has more going on to it than the headlines suggest. Perhaps not a coordinated vuln disclosure gone wrong ?but something is def weird about it - she used Tor to access the data but then publicly posted the data to an account with her name?
@dnvolz: The arrested suspect behind the hack, Paige Thompson, is a former employee of Amazon Web Services, according to people familiar with the matter. She is accused of breaching a misconfigured Capitol One firewall to access data stored in AWS. via @nicole_hong
@BleepingComputer: This breach was discovered by a security researcher who responsibly disclosed a vulnerability to Capital One. After investigating the vulnerability, Capital One discovered that an unauthorized user accessed their systems and data between March 22 and 23, 2019.
@McGrewSecurity: Located the Capital One hacker's twitter (also thanks to those that backchanneled on the topic). Clearly they were/are in a bad state mentally/emotionally. I've deleted the earlier tweets about her. I hope they find some peace.
@weldpond: The FBI said the suspect, Paige A. Thompson, was apprehended after she “made statements on social media for evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally,”
@h0tdish: Insider/ex employee threats and those who willingly commit crimes, creating, selling malware or stealing info via exploit/breach ARE NOT hero's & anyone who frames it that way has to explain why they're not currently launching a legal $ raiser for her but did for other criminals.
@hacks4pancakes: I feel a great disturbance in the Force, like dozens of Capital One cybersecurity analysts who were screaming futilely for into the wind for years were suddenly silenced.
@RayRedacted: I have removed all of my OSINT posts about the Capital One hacker, because it is clear that she is suffering from mental illness. Mental illness does not discriminate. It can affect anyone. I truly hope she gets the help she needs.
@catcalvinla: At this point, I’m getting like two breach notices a day. Who DOESN’T have my info?
@malwarejake: Takeaways from #CapitalOne: 1. Having a disclosure program may have saved them. I'm FAR less likely to report to an org that lacks a disclosure policy. (link: http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043) press.capitalone.com/phoenix.zhtml?…
@somanyshrimp: Losing your personal information in a massive data breach is just a thing that happens now, like 110 degree days and regular mass shootings
@TorresLuzardo: I'm trying to come up with an analogy but there's really no topping this. No SSNs were stolen except 140,000 of them.


February 13, 2020
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Senator Kirsten Gillibrand Drafts Bill to Create U.S. Federal Data Protection Agency to Protect Privacy, Enforce Data Practices

Senator Kirsten Gillibrand (D-NY) has drafted a bill, the Data Protection Act,  that would create a U.S. federal data protection agency designed to protect the privacy of Americans and with the authority to enforce data practices across the country. The bill would allow the newly created agency to hear and adjudicate complaints from consumers and declare certain privacy-invading tactics as unfair and deceptive. As the government’s “referee,” the agency would let it take point on federal data protection and privacy matters, such as launching investigations against companies accused of wrongdoing. The bill particularly takes issue with take-it-or-leave-it” provisions, such as when websites compel a user to “agree” to allowing cookies with no way to opt-out. The would-be federal agency would also have the power to bring civil action against companies, and fine companies of egregious breaches of the law up to $1 million a day.

Related: CNBC, Silicon Republic, The Verge, protocol, Kirsten Gillibrand, Engadget, LinuxSecurity – Security Articles, Roll Call, Schneier on Security

Tweets:@zackwhittaker


November 17, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Backup File Unprotected by Password Exposed Data for 452,000 Players of Magic: The Gathering

A security lapse exposed the data on 452,000 game players for the game Magic: The Gathering, the game maker Wizards of the Coast has confirmed. Wizards of the Coast said it had left a database backup file in a public Amazon Web Services storage bucket unprotected by a password exposing the users’ data, which was discovered by U.K. cybersecurity firm Fidus Information Security. The database included player names and usernames, email addresses, and the date and time of the account’s creation, with the data going back to 2012. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble, along with about 470 email addresses associated with Wizards’ staff. After TechCrunch reached out to the game maker, they pulled the storage bucket offline.

August 4, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Breach at Fashion, Sneaker Trading Platform StockX Exposes Millions of Customers’ Data, Company Initially Portrayed Customer Password Resets as ‘System Updates’

Fashion and sneaker trading platform StockX pushed out a password reset email to its users on Thursday citing “system updates” but was instead dealing with the aftermath of a data breach after a hacker stole purportedly more than 6.8 million records in May and sold them for $300 to at least one buyer. The hacker provided TechCrunch with a 1,000 sample stolen records and every person contacted confirmed the data as accurate. The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information such as shoe size and trading currency. After TechCrunch posted a story on the breach, StockX posted a statement confirming the breach.

July 29, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Hacker Gained Access to Internal Files, Documents of Security Company Comodo By Using Publicly Exposed Email Address, Password

A hacker gained access to internal files and documents owned by security company and SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet, Comodo software developer Jelle Ursem discovered. With these credentials, the hacker was able to log into the company’s Microsoft-hosted cloud services, which were was not protected with two-factor authentication. Comodo said that the account was an“automated account used for marketing and transactional purposes,” adding: “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Separately, last week Tenable Researcher reported that multiple vulnerabilities were discovered in version 12.0.0.6810 of Comodo Antivirus and Comodo Antivirus Advanced according to Tenable Research.

Related: SC Magazine, IB Times, Infosecurity Magazine, The Daily Swig, Tenable, Tenable Tech Blog, ZDNet

Tweets:@zackwhittaker


July 28, 2019
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Bellingcat Researchers Investigating Activities of Russian Government Targeted by Phishing Attacks on ProtonMail Accounts

Investigative news site Bellingcat has confirmed several of its researchers who work on projects related to activities by the Russian government were targeted by an attempted but failed phishing attack on their ProtonMail accounts. The researchers were targeted by a phishing email purportedly from ProtonMail itself which asked users to change their email account passwords or generate new encryption keys through a similarly-named domain set up by the attackers. The attackers tried to exploit a little-known unpatched flaw in third-party software used by ProtonMail, which has yet to be fixed or disclosed by the software maker. The targeted Bellingcat researchers worked on the ongoing investigation into the downing of flight MH17 by Russian forces and the use of a nerve agent in a targeted killing in the U.K.

Related: Forbes, TechCrunch, Proton Mail, Radio Free Europe/Radio Liberty, The Times of Israel, ThreatConnect, Digital Journal, Channel News Asia IB Times, RAPPLER, Kyiv Post, News Agency UNIAN, Crime Russia

Tweets:@zackwhittaker


September 14, 2019
Amanda Connolly, Mercedes Stephenson, Stewart Bell, Sam Cooper and Rachel Browne / Global News

Amanda Connolly, Mercedes Stephenson, Stewart Bell, Sam Cooper and Rachel Browne / Global News  
RCMP Arrest One of Their Own Senior Intelligence Officials for Espionage Dating Back to 2015, Amassed Terabytes of Sensitive Information and Now Stands Accused of Passing Information to Foreign Entity

In what could be one of the worst cases of espionage the country has ever experienced, Canada’s national police have arrested a senior intelligence official in the RCMP, Cameron Ortis, who now faces seven counts dating as far back as 2015, including breach of trust, communicating “special operational information,” and obtaining information in order to pass it to a “foreign entity.” The case was uncovered by U.S. authorities as part of a wider operation involving NATO allies and the Five Eyes countries of Canada, Australia, New Zealand, the U.S. and U.K. The charges did not specify which foreign entity or what type of information, but a source said he had amassed “terabytes of information,” including a list of undercover operatives. John MacFarlane, Public Prosecution Service of Canada official, said Ortis was accused of having “obtained, stored, processed sensitive information we believe with the intent to communicate it to people that he shouldn’t be communicating it to.”

Related: South China Morning Post,  AP Top News, Reuters: World News, Daily Beast

Tweets:@MercedesGlobal @zackwhittaker @zackwhittaker @allanfriedman


February 8, 2020
Catalin Cimpanu / ZDNet

Catalin Cimpanu / ZDNet  
Facebook, Facebook Messenger Accounts on Twitter and Instagram Hacked by OurMine Crew, Hackers Tweeted Via Social Media Tool Khoros

Facebook’s and Facebook Messenger’s official accounts on Twitter and Instagram were temporarily taken over and then defaced by a group of hackers known as OurMine, the same hacker group who last week defaced Twitter, Instagram, and Facebook accounts for the NFL, 15 NFL teams, and sports TV station ESPN. It appears that, as was the case with the NFL hacks, the hackers tweeted via an app named Khoros, a social media tool that’s usually used by digital marketing and public relations departments. The OurMine crew has a long history of taking over high-profile accounts, including Jack Dorsey, CEO of Twitter, and Mark Zuckerberg, CEO of Facebook.

Related: The Age, CNET News, New York Daily News, Mashable, Graham Cluley, Gizmodo, Engadget, Channel News Asia, BBC News – Home, Reuters, Sky News, Mirror, CTVNews.ca, GlobalNews.ca, TechCrunch, Yahoo! News, POLITICO,  Mashable, Tech Insider, RT News, Input, The Verge, CNN.com, NBC News Top Stories, Daily Mail, Bloomberg, Engadget, Fortune

Tweets:@RMac18 @campuscodi @zackwhittaker @zackwhittaker @Facebook @RachelTobac

The Age: Twitter says Facebook, Messenger accounts hacked
CNET News: Facebook’s accounts on Twitter and Instagram were hacked – CNET
New York Daily News: Facebook’s Twitter account gets hacked
Mashable: Sad internet man Ted Cruz tells Twitter to ban Iran’s Supreme Leader
Graham Cluley: Facebook’s Twitter account is hijacked by notorious OurMine hacking group
Gizmodo: Facebook’s Twitter Account Just Got Hijacked (For Like 2 Seconds)
Engadget: ‘OurMine’ group briefly hijacked Facebook’s Twitter and Instagram accounts
Channel News Asia: Twitter says Facebook, Messenger accounts hacked
BBC News – Home: Facebook’s Twitter and Instagram accounts hacked
Reuters: Twitter says Facebook, Messenger accounts hacked
Sky News: Facebook’s Instagram and Twitter accounts hijacked
Mirror: Facebook’s Twitter and Messenger accounts hacked by group offering to improve security
CTVNews.ca: Facebook’s official Twitter and Instagram accounts were hacked
GlobalNews.ca: Twitter accounts belonging to Facebook hacked
TechCrunch: Facebook’s Twitter account compromised, hacker group claims credit
Yahoo! News: Twitter says Facebook, Messenger accounts hacked
POLITICO: 2 Facebook accounts on Twitter hacked
Mashable: Facebook’s official Twitter and Instagram accounts hacked
Tech Insider: Facebook’s Twitter account was hijacked by the same group that hacked a bunch of NFL accounts (TWTR, FB)
RT News: ‘Even you are hackable’: Facebook gets its Twitter & Instagram accounts hacked, trolled with cybersecurity services offer
Input: OurMine hackers take over Facebook’s Twitter and Instagram accounts
The Verge: The NFL account hijackers just compromised Facebook’s Twitter and Instagram accounts
WCCFtech: OurMine Takes Over Facebook’s Twitter Account
The Verge: The NFL account hijackers just compromised Facebook’s Twitter and Instagram accounts
CNN.com: Facebook’s official Twitter and Instagram accounts were hacked
NBC News Top Stories: Facebook’s Twitter account hacked
Daily Mail : Facebook’s official Twitter and Instagram accounts are hijacked by hackers who cracked NFL and ESPN
Bloomberg: Facebook’s Twitter Account Appears to Have Been Hacked
Engadget: ‘OurMine’ group briefly hijacked Facebook’s Twitter and Instagram accounts
Fortune:Facebook’s Twitter account appears to have been hacked

@RMac18: Twitter's statement: "Confirming the account was hacked through a third-party platform. As soon as we were made aware of the issue, we locked the compromised account and are working closely with our partners at Facebook to restore them."
@campuscodi: Hackers deface Facebook's official Twitter and Instagram accounts - Hackers also defaced Facebook Messenger's Twiter & Instagram accounts - Unauthorized tweets came from Khoros app (same one from the NFL & ESPN hacks) https://zdnet.com/article/hackers-deface-facebooks-official-twitter-and-instagram-accounts/
@zackwhittaker: "But please trust us to keep your data secure."
@zackwhittaker: In fairness, social media accounts are low hanging fruit. But so was the AP's Twitter account when that was hacked and caused the Dow to plunge after a tweet went out saying there was an explosion at the a White House.
@Facebook: Some of our corporate social accounts were briefly hacked but we have secured and restored access
@RachelTobac: The use of social media management tools like Khoros widen your attack surface (as we've seen with Facebook & others). If your social media usually has MFA on but your org uses a 3rd party tool that isn't secured with MFA bc multiple people manage it, that's a gap for attackers.


January 30, 2020
Zack Whittaker / TechCrunch

Zack Whittaker / TechCrunch  
Social Media Startup Social Captain Exposed Thousands of Instagram Account Passwords Stored in Plaintext, Bug Allowed Access to Any User’s Profile

A social media boosting startup called Social Captain, which bills itself as a service to increase a user’s Instagram followers, has exposed thousands of Instagram account passwords by storing them in unencrypted plaintext. Users who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform. Even more concerning, a website bug allowed anyone to have access to any Social Captain user’s profile without having to log in by simply plugging in a user’s unique account ID into the company’s web address. An anonymous security researcher provided TechCrunch with a spreadsheet of about 10,000 scraped user accounts. The spreadsheet contained 4,700 complete sets of Instagram usernames and passwords. Social Captain said that after an investigation, it would alert users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations. Instagram said the service breached its terms of service by improperly storing login credentials and would take appropriate action.

January 21, 2020
Joseph Menn / Reuters

Joseph Menn / Reuters  
Apple Reportedly Dropped Plans to Let iPhone Users Fully Encrypt Backups After FBI Objected

About two years ago, Apple dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, according to six sources. Under the cloud encryption plan, primarily designed to thwart hackers, Apple would have no longer had a key to unlock the encrypted data, meaning it would not have been able to turn material over to authorities in a readable form even under court order. The FBI reportedly argued against this plan, saying it would deny them the most effective means for gaining evidence against iPhone-using suspects, and Apple ultimately dropped the idea.

Related: 9to5Mac, The Verge, MacRumors, iMore, iPhone Hacks, The Apple Post, CNET, AppleInsider, iDownloadBlog.com, Engadget, Input, iMore, Security – Computing, CNET, San Jose Business News, Cult of Mac, Mashable, Reddit – cybersecurity, Tech Insider, Fast Company, News Tom’s Guide, The Mac Observer, Daily Dot, HotHardware.com, Patently Apple, WCCFtech, WinBuzzer, PCMag.com, VentureBeat, CNBC, MacDailyNews, Slashdot, The Loop

Tweets:@matthew_d_green @zackwhittaker @zackwhittaker @alexstamos @dnvolz @josephmenn @hatr @elcomsoft @rstephens @Bing_Chris @kennwhite @josephmenn @dhh @ByJuliaLove @weldpond @NathonSecurity @YuanfenYang

9to5Mac: Apple reportedly abandoned plans to roll out end-to-end encrypted iCloud backups, apparently due to pressure from the FBI
The Verge: Apple reportedly scrapped plans to fully secure iCloud backups after FBI intervention
MacRumors: Apple Reportedly Dropped Plans for End-to-End Encrypted iCloud Backups After FBI Objected
iMore: Apple may have abandoned iCloud encryption after the FBI complained
iPhone Hacks: Apple Reportedly Dropped End-to-End Encryption for iCloud Backups After FBI’s Objection
The Apple Post: Apple pulled end-to-end iCloud backup encryption plans after FBI objected
CNET: Apple apparently abandoned encrypted iCloud backup plans after FBI pressure
AppleInsider: Apple dropped plans to encrypt iCloud after the FBI complained
iDownloadBlog.com: Reuters: the FBI pressured Apple not to encrypt iCloud backups
Engadget: Apple reportedly dropped iCloud encryption plans amid FBI pressure
Input: Report: F.B.I. complaints stopped Apple from encrypting iCloud backups
iMore: Apple may have abandoned iCloud encryption after the FBI complained
Security – Computing: Apple U-turned on icloud end-to-end encryption plan following FBI complaints
CNET: Apple reportedly ditched plan for encrypted iCloud backup after FBI pressure
San Jose Business News: Why Apple dropped plans to encrypt iPhone backups in iCloud
Cult of Mac: Apple ditched plans for secure iCloud backups after FBI concern
Mashable: Apple reportedly backed off encrypting iCloud data after pressure from the FBI
Reddit – cybersecurity: Apple dropped plan for encrypting backups after FBI complained
Tech Insider: Apple killed a security project after the FBI pushed back, sources say (AAPL)
Fast Company: Report: Apple killed plans for end-to-end encrypted iCloud backups after the FBI complained
News Tom’s Guide: Apple backed off iCloud encryption because of FBI (Report)
The Mac Observer: Apple Cancels iCloud Encryption Plan Due to FBI
Daily Dot: Apple’s iCloud encryption plan halted amid FBI pressure, report
HotHardware.com: Apple Was All-In On Encrypted iCloud Backups, Until The FBI Came Knocking
Patently Apple: Apple has Reportedly Dropped Plans to let iPhone users Fully Encrypt Backups of their Devices in iCloud
WCCFtech: Apple Dropped Full Encryption Plans for iCloud Backups After FBI’s Request
WinBuzzer: Apple Says FBI Shut Down Plans To Encrypt iCloud Backups
Neowin: Apple reportedly doesn’t encrypt iCloud backups because the FBI said not to
WinBuzzer: Apple Says FBI Shut Down Plans To Encrypt iCloud Backups
PCMag.com: Report: Apple Dropped Plans for Fully-Encrypted iCloud Backups
VentureBeat: Apple’s iCloud backups are unencrypted due to law enforcement pressure
CNBC: Apple dropped plan for encrypting iPhone backups after FBI complained, sources say
MacDailyNews: Apple killed iCloud encryption after FBI complained
Slashdot: Apple Dropped Plan for Encrypting Backups After FBI Complained
The Loop: Apple dropped plan for encrypting backups after FBI complained – sources

@matthew_d_green: I suspected this was true ever since Apple released iCloud Keychain and did nothing interesting with it. Government pressure works.
@zackwhittaker: “Legal killed it, for reasons you can imagine."
@zackwhittaker: Good reporting citing a lot of sources, but still unclear precisely why Apple's plan was dropped. Another said that customers "would find themselves locked out of their data more often."
@alexstamos: Another huge @josephmenn scoop. At least the FBI needs a search warrant. Remember that Apple turned over storage of Chinese iCloud backups to "Guizhou on the Cloud Big Data Industrial Development Co, Ltd."
@dnvolz: Apple dropped plans to let iPhone users fully encrypt backups of their devices in the company's iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters https://reuters.com/article/us-apple-fbi-icloud-exclusive-idUSKBN1ZK1CT great scoop from @josephmenn
@josephmenn: The larger point of this story, of course, is not that Apple is “bad” on privacy. It’s that there is more cooperation across the industry than meets the eye, and no one has an incentive to say so. Apple is much better than most, so there is the greatest pressure on it to deal.
@hatr: Apple originally had planned to encrypt user-content on iCloud. Now, Reuters reports, those plans have been dropped after the FBI complained about the move hampering investigations. Regular users would have benefitted the most. https://reuters.com/article/us-apple-fbi-icloud-exclusive-idUSKBN1ZK1CT
@elcomsoft: Exclusive: Apple dropped plan for encrypting backups after FBI complained - sources | Article [AMP] | Reuters
@rstephens: I think this will come as a surprise to most people. I actually thought our iCloud backups were end-to-end encrypted. You can’t put up those Privacy billboards and yet have iCloud backups unencrypted.
@Bing_Chris: Wild story. Important context in that it shows Apple is vulnerable to FBI/DOJ pressure, despite stance on backdoors at the moment -> Exclusive: Apple dropped plan for encrypting backups after FBI complained https://reut.rs/37gt7GJ (by @josephmenn)
@kennwhite: NB: iMessage and WhatsApp back up all messages to iCloud. Signal on Android does not by default. Signal on iOS doesn't allow iCloud backups at all.
@josephmenn: Bits that did not make the story: #Signal chats do not back up to iCloud. And Apple has made it easier to avoid iCloud when moving to a new phone.
@dhh: The iPhone already has an encryption back door for almost all users: The iCloud backup. Apple was going to close that door, but backed down in fear of angering the FBI. For shame.
@ByJuliaLove: This is one of those scoops that changes your understanding of everything. After Apple's battle w the FBI in 2016, I assumed the company was still taking a tough line with law enforcement. The story was more complicated behind the scenes. By @josephmenn
@weldpond: I wonder if 3rd parties will fill the void of secure iPhone backup now.
@NathonSecurity: Question is, can Apple remotely enable iCloud backups? If so, would it comply with a law enforcement request to do so?
@YuanfenYang: If Apple had gone ahead with giving users true end-to-end encryption for iCloud backups, it would have given much relief to Chinese iCloud users — whose data is now stored in-country, along with their encryption keys. Amazing scoop by @josephmenn