Tag Archives: user names

Breach Brief – Macy’s, Adidas

Macy’s department stores has reported a data breach of customer data. The breach affects Macy’s online customers and exposed names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. Macy’s pointed out that it does not store credit verification values (CVV) or Social Security numbers in its online customer profiles. Macy’s has reported the data breach and exposed card numbers to payment processors Visa, MasterCard, American Express and Discover. Macy’s has not said how many customers are impacted.

According to Macy’s the breach took place between April 26 and June 12. The company reported that an “unauthorized third party” had obtained usernames and passwords and were able to log into Macy’s and subsidiary’s Bloomingdale’s shopper’s online profiles. It is not known how the hackers got the information. Macy’s reported the breach in a letter to the New Hampshire Attorney General’s Office on July 2nd.

Macy’s has frozen any customer profiles with suspicious activity until the customers change their passwords.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” the company said in a statement. “Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

 

Adidas

Adidas, maker of sportswear and equipment, issued a warning to online shoppers in the U.S. that their personal information may have been compromised as a result a suspected data breach.  Adidas first became aware of the incident on June 26 and analysts are saying that potentially millions of customers could be affected.

A preliminary investigation revealed that the hacker may have stolen customer’s contact information, usernames and encrypted passwords. Adidas does not believe any credit card or health and fitness information was compromised.

A statement on Adidas’ website read; “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.” The company is in the process of notifying affected customers.

ALERT!-Google Docs Phishing Attack-ALERT!

Right now millions of email users are getting a seemingly innocent email asking them to view a Google Docs file. DO NOT CLICK ON IT! DELETE IMMEDIATELTY!

The email takes the user to an excellent replica of the Google Docs page you would normally see. The hackers are so clever they have copied the newest version of the page. To make matter worse the URL or web address is very close to the real Google Docs web address. The email itself will look as if it came from a legitimate email address and even uses a .gov email address.

The email does not deliver any malicious malware that we know of. But it does steal user names and passwords.

In a statement a Google PR representative said; “We have taken action to protect users against an email impersonating Google Docs, and have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail.”

Google sent out another statement, this time directly from Google that read; “We realize people are concerned about their Google accounts, and we’re now able to give a fuller explanation after further investigation. We have taken action to protect users against an email spam campaign impersonating Google Docs, which affected fewer than 0.1% of Gmail users. We protected users from this attack through a combination of automatic and manual actions, including removing the fake pages and applications, and pushing updates through Safe Browsing, Gmail, and other anti-abuse systems. We were able to stop the campaign within approximately one hour. While contact information was accessed and used by the campaign, our investigations show that no other data was exposed. There’s no further action users need to take regarding this event; users who want to review third party apps connected to their account can visit Google Security Checkup.

If you have recieved the suspect email there are a few things you can do.

  1. Do not click on it even if it comes from someone you know. Always be suspicious of links and attachments you are not expecting or do not know where they come from. Anytime you get an email containing a link or attachments contact the sender and ask what is it. They may not know their email is being used to send out spam or malware.
  2. Use multi-factor authentication. Many websites offer multi-factor authentication. It is simply and extra step to protect you on the web. The system often works by sendng a second code via a text message to your smartphone. This is great when you are using a computer you don’t normally use and can prevent hackers from accessing your accounts or stealing passwords.
  3. If you have already clicked on the suspect email or are not sure then you can cancel third party access by visiting this Google site. Also change your Google passwords.
  4. Finally report the incident by clicking the downward arrow at the top right of your inbox and selecting “Report Phishing.”

Remember, try to avoid catching “click around fever.” This is the compulsion to click on links or attachments in your email or visit websites just out of curiosity. Many malware infections and viruses can be had by what’s commonly known as a drive by download.  This means the instant you click on the wrong thing or visit the wrong website you’re infected.

ALERT! JP Morgan Suffers MASSIVE Breach ALERT!

110804064152_jpmorgan_chase_logo_640x360_16x9JP Morgan has set yet another record for data breaches. The financial services and banking giant reveled that 76 million households and 7 million small businesses have potentially had their private data stolen in a record setting cyber attack.

According to a new  SEC filing JP Morgan  said, “User contact information — name, address, phone number and email address – and internal JPMorgan Chase information relating to such users has been compromised.” 

JP Morgan pointed out that “…there is no evidence that account information for such affected customers — account numbers, passwords, user IDs, dates of birth or Social Security numbers — was compromised during this attack.” There has been no fraud connected to this data breach.

JP Morgan denies that this data breach was a second attack but instead was connected to a previous attack.  The company has rejected the reports from the New York Times that this previous attack resulted in the loss of checking and savings account information.

Breaking it down

In comparison, Target’s data breach affected 40 million credit and debit card accounts. This was followed by Home Depot’s breach of 56 million accounts. Now JP Morgan has set the bar with 76 million records lost. How much more do we need to experience before something is done. What you are looking at is an escalating trend of warning shots of what is bound to come.

Even if no account information was lost the loss of names, email addresses and other contact information is the exact information needed for phishing attacks. And JP Morgan knows it. That’s why this breach is so dangerous. 

As a nation we are flirting with a financial catastrophe that could bring down an empire! The ability of hackers and thieves to impact the financial sector at this level indicates a hack could bring America to its knees and possibly even ignite a global financial crisis. Am I the only one seeing that Wall Street is the next big target? Or maybe the world banking system?  If you think otherwise then you are fooling yourself. I am not so sure that its not time to take your money out of the bank and put it in your mattress. 

Some might think this is a dire prediction; possibly even a doomsday vision. But look at the numbers again and ask yourself; is it really not possible?

For more information please see 

JP Morgan Discloses Data Breach Affected Millions

JP Morgan Data Reveals Data Breach Affected 76 Million Households

JP Morgan Says Data Breach Hit 76 Million Households

 

 

Celebrity Photo Hack Creates Confusion

icloud-loginAs many of you have no doubt heard a hacker has stolen and posted sensitive photos of female celebrities on the Internet. The photos originally appeared on a site called 4Chan. Jennifer Lawrence and Victoria Justice are two of the female actors who’s intimate pictures were stolen and posted for the world to see. How were the pictures stolen and why? Well that is just a few of the questions that are creating so much confusion as the investigation begins. First of all there were actually about 100 celebrities who’s pictures were released. The other actors included Ariana Grande, Kate Upton and singer Jill Scott. All had naked and intimate pictures published online after having their iCloud accounts  hacked.

Before we go any further we need to define exactly what the ‘cloud’ is. The cloud is a network of servers, and each server has a different function. Some servers use computing power to run applications or deliver services online.  Other servers store information such as music, video, documents and in this case still images. Other information you may find on storage servers include emails, email contacts, telephone numbers and full address books, chat logs, home movies, and all sorts of data from all sorts of devices that people want to back up. Its all in the cloud.

Apple’s version of the cloud is known as the iCloudThe hacker(s) who stole and then posted the images online claimed to have stolen the images from the celebrities iCloud accounts. The miscreant(s) demanded  “donations” via PayPal and Bitcoin in exchange for posting them. He, or they, received only 0.2545 BTC in donations. In dollars this amounts to $121.15.

Now here is the first point of confusion. Apple Claims that it’s servers and automatic backup systems were not hacked and are secure.  But when it came to details Apple was not talking except to say that the hack was a ” carefully targeted attack on user names, passwords and security questions.” Apple provided no details as to how the attackers obtained this information from the celebrities. 

But Apple took quick action to repair a vulnerability in the Find My iPhone app that permitted unlimited password attempts. Researchers revealed the flaw. There are hacking tools that can be programmed to perform a brute force attack on passwords until the right password is found. Is this what happened?

Apple did confirm it was investigating along with the FBI to identify the hackers responsible for breaking into the iCloud accounts.

Do you own an iPhone? Are you aware of what it is doing without your knowledge? Let me explain this to you. Your iPhone constantly communicates with Apple and others who have created the apps you have on your phone. The information may include everything from where you are at the moment to who you call, text or email, your device settings, what games you play, coupons you download, your web searches, photos, videos and pretty much everything you do with your phone is recorded somewhere.  All this information goes floating off to the cloud.  All you need for the iCloud to automatically do its thing is a Wi-Fi connnection and a power source. iCloud backs up while it’s turned on and locked. If you plug your phone into charger at bedtime this is whats happening while you sleep.

Now we have the question of whether to shut off the automatic back up for the iPhone. More confusion. Some experts recommend that you do if you want to secure your privacy. Other say it not an issue since it is unlikely that Apple’s servers were hacked.

After this incident why would you not just shut it off? The answer is what is your risk? What is the risk of your cloud account getting hacked or losing your phone?  Let’s face it, hackers are probably not that interested in you.  The chances are much better that you will lose or damage your phone. If that happens, you would probably kiss your pictures, your contact info, calendar and even some e-mail goodbye without a back up. Some of you know how devastating that can be.

If you do lose your phone or someone relieves you of it there is probably a good chance they will get into your pictures and other data anyway. You can wipe the device clean remotely on both Apple devices and Androids. Both use cloud services. Yes, you could turn off the photo backup and use the phone anyway, but wouldn’t it be easier to just secure your cloud account instead? So there is your choice; either use better security for your cloud account including complex pass phrases and two factor authentication or take a chance and turn the back up off. Its really your choice.

Confusion reigns about who actually owns the images. The question sounds simple but is not. Many celebrities are looking to use copyright law to force websites to remove the images. Unfortunately the cat is out of the bag. AACR rule #6 ; Images on the Internet are no longer yours.

In 1998 Congress passed the Digitally Millennium Copyright Act to  govern the online distribution of photos, video and text. The law was intended to preserve the open access and use of the Internet.

Part of this law includes what is known as ‘safe harbor.’ Safe harbor protects websites from legal liability for virtually all content posted on their services. The law requires websites and Internet service providers to remove any content they believe infringes on a copyright after being notified by the copyright owner. Now here is the problem; who owns the images of these celebrities? Is it the celebrity, or the person who owns the device that took the picture? Either way the copyright was violated. 

Some of the stolen photos were not selfies. As such the female celebrities pictured may not technically own the copyright. This creates loopholes that preserve the intimate photos from being completely erased from Internet. Here is another problem for celebrities who have their picture taken thousands of times a day. These images now are on the fan’s and paparazzi’s cameras. Do the images belong to the fan or photographer? Maybe. Can they sell the images? Maybe. Can the celebrity sue for copyright infringement? Maybe. More confusion.

 

 

Billions of Passwords Stolen-They got you!

ID-10096463

Courtey of digitalart

A Russian criminal gang has stolen 1.2 billion passwords and user names and 500 million email addresses.  According to Milwaukee based security firm, Hold Security, the passwords were stolen from over 400,000 businesses and personal websites. In comparison the breach of Target stores last year compromised only 40 million names. The websites include smaller businesses and stores as well as many larger businesses. Hold Security founder Alex Holden stated that many of the larger businesses are “household names.”

The group that carried out the theft is known as “CyberVor” or cyber thief in Russian. The group is suspected of being located in a small city in south central Russia. According to the New York Times the group is made up of less than a dozen young men who are close personally, not just virtually. Their computer servers are also thought to be in Russia.

The New York Times, enlisted the help of an outside security expert who, after analyzing the database of stolen credentials, confirmed it’s authenticity. A second cyber crime expert also reviewed the data. This expert is not permitted to publicly elaborate  on the theft but said major companies were compromised and are aware their records have been stolen. 

“Hackers did not just target U.S. companies, they targeted any website they could get ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.”” said Holden. 

According to Holden the gang makes money by emailing spam for  phony miracle weight loss products. “It’s really not that impactful to the individuals, and that’s why they were under the radar for so long,” Holden said. “They’ve ignored financial information almost completely.”

The ability of the criminals to collect so many passwords is indicative of the weak security of many websites regardless of size.

Holden pointed out that the stolen passwords may not have come from hacking but from the criminals buying user names and passwords on the black market. The huge number of stolen credentials multiplied this year because of  automated programs that travel the Internet looking for vulnerable websites. 

Many experts agree that the sale of the information on the black market could be very lucrative. Although credit cards are easily canceled personal information such as email addresses, Social Security numbers or password could potentially be used for identity theft. Many people have a habit of using the same passwords on multiple sites. Because of this habit criminals can test stolen credentials on websites where valuable information may be vulnerable. This includes banks and brokerage firms.

Hold Security has refused to release the names of the websites affected because of confidentiality agreements.

Breaking It Down

We’ve seen this before. Again and again hackers have stolen information from websites and again and again the consumer is left in the dark. No one is saying what websites are affected except to say they are “household names.” So lets do some math; 1.2 billion user names and passwords are stolen. Over 400,000 websites are compromised. More than 500 million email addresses are collected. The answer is simple; they got you! If you read this and do not immediately change all your passwords you’re either stupid or just don’t care. You need to be aware that many personal websites were also compromised. That includes your Facebook page, LinkedIn and many others. I have encouraged black people to use powerful pass phrases. I continue to do that. I have told you before to regularly change your pass phrases; at least every six months. Yeah, I know its a hassle. So if it bothers you that much then use a password manager. You can find them on Apple App store and Google Play. Many are free so whats your excuse? Use them! All those user names and passwords are going to be sold. And now that the word is out they will be sold soon, before they lose their value. See, although the Russian gang may not be interested in financial information, others that buy these passwords are looking to get into bank accounts, your bank account.  All African-Americans need to act on this information immediately. Why? Because we have a bad habit of being the last to know and the last to act. Yeah I said it! We need to be more pro-active and stop dragging our feet. Get busy and change your passwords to pass phrases. Don’t wait.

For more information please see;

Washington Post – Russian Hackers Amass  Over a Billion Internet Passwords

CNET – Hackers Nab 1.2 Billion Passwords in Colossal Breach, Says Security Firm

CNBC – Russian Gang Said to Amass More Than a Billion Stolen Internet Credentials