Posted on

Facebook exposed up to 6.8 million users’ private photos to developers in latest data leak

Facebook exposed private photos from up to 6.8 million users to apps that weren’t supposed to see them, the company said today. These apps were authorized to see a limited set of users’ photos, but a bug allowed them to see pictures they weren’t granted access to. These included photos from people’s stories as well as photos that people uploaded but never posted (because Facebook saved a copy anyway).

“Darktrace’s machine learning approach means that our days of battling cyber-threats at the border are over,” commented Paul Martinello, Vice President of Information Technology, Energy+. “Before deploying Darktrace, we had no way of detecting emerging threats, and we had a reactive approach to cyber defense. The Enterprise Immune System protects our network from the inside out, allowing us to catch even the subtlest and most advanced forms of threat at their earliest stages.”

Darktrace Enterprise Network Process Cyber-Security Immune System

The exposure occurred between September 12th and September 25th. Facebook toldTechCrunch that it discovered the breach on the 25th; it isn’t clear why the company waited until now to disclose it. (Perhaps it’s because the company was dealing with a separate and substantially larger breach that it also discovered on September 25th.)

Affected users will receive a notificationalerting them that their photos may have been exposed. Facebook also says it’ll be working with developers to delete copies of photos they weren’t supposed to access. In total, up to 1,500 apps from 876 different developers may have inappropriately accessed people’s pictures.

Image: Facebook

Facebook said the bug had to do with an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps. All of the impacted users had logged into a third-party app using their Facebook accounts and granted them some degree of access to view their photos.

“We’re sorry this happened,” writes Tomer Bar, engineering director at Facebook. The disclosure comes exactly one day after Facebook opened a pop-up installation in New York to show people how “you can manage your privacy” on the site.

Facebook has been in hot water again and again this year over data breaches and exposures, most notably with Cambridge Analytica. In many cases, the problems haven’t been caused by hackers, but they have stemmed from issues within Facebook itself. The Cambridge Analytica breach happened because of Facebook’s lax oversight of developers and data sharing; today’s issue happened because of another breakdown in communication between Facebook and developers.

Google has already pledged to shut down Google+ over similar issues. Twice this year, the service exposed information inappropriately to developers.

Source:  The Verge Jacob Kastrenakes on 


Customers who viewed this item also viewed

Hackers Data Breach Equifax For 76 Days Before Being Discovered

Marriott faces backlash over data breach impacting 500 million guests

Solutions

Meet Penny, an AI tool that can predict wealth from space

Windows 10’s Built-in Antivirus Is Getting A Massive Upgrade

Quora Website Data Breach Hits 100 Million Users

The 21 biggest data breaches of 2018

5 Key Benefits of Computer-Integrated Manufacturing

What We Do

Executive Team

Posted on

Hackers Data Breach Equifax For 76 Days Before Being Discovered

Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory

‘Entirely preventable’ theft down to traffic-monitoring certificate left expired for 19 months

Source: The Register’s Shaun Nichols in San Francisco 

Updated A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.

“Darktrace’s machine learning approach means that our days of battling cyber-threats at the border are over,” commented Paul Martinello, Vice President of Information Technology, Energy+. “Before deploying Darktrace, we had no way of detecting emerging threats, and we had a reactive approach to cyber defense. The Enterprise Immune System protects our network from the inside out, allowing us to catch even the subtlest and most advanced forms of threat at their earliest stages.”

Darktrace Enterprise Network Process Cyber-Security Immune System

The 96-page report (PDF) from the Committee of Oversight and Government Reform found that the 2017 network breach could have easily been prevented had the company taken basic security precautions.

“Equifax, however, failed to implement an adequate security program to protect this sensitive data,” the report reads.

“As a result, Equifax allowed one of the largest data breaches in US history. Such a breach was entirely preventable.”

The report noted some of the previously-disclosed details of the hack, including the expired SSL certificate that had disabled its intrusion detection system for 19 months and the Apache Struts patch that went uninstalled for two months because of that bad cert.

The report states that Equifax’s IT team did scan for unpatched Apache Struts code on its network. But it only checked the root directory, not the subdirectory that was home to the unpatched software. ®

Both issues were blamed for allowing an attacker to compromise the Equifax Automated Consumer Interview System and then spend weeks moving throughout the network to harvest personal records from other databases. It was only when the certificate was renewed that Equifax saw the massive amounts of data being copied from its servers and realized something was very wrong.

While those two specific issues were pinpointed as the source of the attack, the report finds that the intrusion was allowed to happen because the IT operation at Equifax had grown far too large far too fast, without a clear management structure or coherent policies across various departments.

Lousy IT security by design

“In 2005, former Equifax CEO Richard Smith embarked on an aggressive growth strategy, leading to the acquisition of multiple companies, IT systems, and data. While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks,” the committee found.

“In August 2017, three weeks before Equifax publicly announced the breach, Smith boasted Equifax was managing ‘almost 1,200 times’ the amount of data held in the Library of Congress every day.”

What’s more, the report notes that Equifax had been aware of these shortcomings for years, with internal audits that found problems in their software patching process back in 2015, and in both 2016 and 2017 a report from MSCI Inc. rated Equifax network security as a “zero out of ten.”

A 2015 audit found that ACIS, a Solaris environment that dated back to the 1970s, was not properly walled off from other databases, a fault that allowed the attackers to access dozens of systems they would not have otherwise been able to get to.

“Although the ACIS application required access to only three databases within the Equifax environment to perform its business function, the ACIS application was not segmented off from other, unrelated databases,” the report noted.

“As a result, the attackers used the application credentials to gain access to 48 unrelated databases outside of the ACIS environment.”

After the pwning of its servers was revealed Equifax blamed its woes on an IT staffer who hadn’t installed the Apache patch, and fired the person. The report makes it clear that there were many more people involved in Equifax’s failings than this one scapegoat.

To help prevent similar attacks from occurring, the report recommends a number of additional requirements for credit reporting agencies to tell people what information is being gathered, how it is stored, and who it is shared with. The report also suggests moving away from social security numbers as personal identifiers and recommends that companies in the finance and credit sectors be pushed to modernize their IT structure. ®

Updated to add

Equifax sent the following statement to The Register

“We are deeply disappointed that the Committee chose not to provide us with adequate time to review and respond to a 100-page report consisting of highly technical and important information,” the company said.

“During the few hours we were given to conduct a preliminary review before they released it yesterday, we identified significant inaccuracies and disagree with many of the factual findings. This is unfortunate and undermines our hope to assist the Committee in producing a credible and thorough public resource for those who wish to learn from our experience managing the 2017 cybersecurity incident.”

The credit biz has yet to identify what in the report is inaccurate.


Customers who viewed this item also viewed

Executive Team

Breaking down the Marriott data breach

The 21 biggest data breaches of 2018

Angela Dingle, Chief Risk Officer, Omnisystems: “Cybersecurity is really a people-problem”

Windows 10’s Built-in Antivirus Is Getting A Massive Upgrade

What We Do

Privacy Policy

Posted on

The 21 biggest data breaches of 2018

  • Data breaches in 2018 compromised the personal information of millions of people around the world.

  • Here are 21 of the biggest data breaches that companies faced this year.

 

It seems like every week, a new company has to notify its customers that their data may have been compromised, and personal information may have been affected.

Data breaches can happen for a variety of reasons. Some companies are hacked. Data can be mishandled or sold to third parties. Holes in a website’s security system can leave information unprotected.

One of the latest victims was Marriott hotels, which recently revealed that hackers had accessed the information of an estimated 500 million customers.

 

“Darktrace’s machine learning approach means that our days of battling cyber-threats at the border are over,” commented Paul Martinello, Vice President of Information Technology, Energy+. “Before deploying Darktrace, we had no way of detecting emerging threats, and we had a reactive approach to cyber defense. The Enterprise Immune System protects our network from the inside out, allowing us to catch even the subtlest and most advanced forms of threat at their earliest stages.”

 

Darktrace Enterprise Network Process Cyber-Security Immune System

Some of the biggest victims in 2018 include T-Mobile, Quora, Google, and Orbitz. Facebook dealt with a slew of major breaches and incidents that affected more than 100 million users of the popular social network.

Here are the biggest data breaches that were revealed this year, ranked by number of users affected:


21. British Airways — 380,000

21. British Airways — 380,000Jack Taylor / Getty

What was affected: Card payments

When it happened: August 21, 2018 — September 5, 2018

How it happened: A “criminal” hack affecting bookings made on the airline’s website and app.

Source: Business Insider


20. Orbitz — 880,000

20. Orbitz — 880,000Orbitz

What was affected: Payment card information and personal data such as billing addresses, phone numbers, and emails.

When it happened: January 1, 2016 — December 22, 2017

How it happened: Hackers accessed travel bookings in the website’s system.

Source: Reuters


19. SingHealth — 1.5 million

What was affected: Names and addresses in the Singapore government’s health database, and some patients’ history of dispensed medicines. Information on the prime minister of Singapore was specifically targeted.

When it happened: May 1, 2015 — July 4, 2018

How it happened: Hackers orchestrated a “deliberate, targeted, and well-planned” attack, according to a statement.

Source: BBC


18. T-Mobile — about 2 million

18. T-Mobile — about 2 millionAdam Berry/Getty Images

What was affected: Encrypted passwords and personal data, including account numbers, billing information, and email addresses.

When it happened: August 20, 2018

How it happened: An “international group” of hackers accessed T-Mobile servers through an API.

Source: Motherboard


Darktrace Enterprise Network Process Cyber-Security Immune System


17. myPersonality — 4 million

17. myPersonality — 4 million
Ime Archibong, a Facebook executive who wrote the blog post announcing the issues with myPersonality.
Getty

What was affected: Personal data via Facebook customers who used the myPersonality app.

When it happened: The app was “mostly active before 2012,” but was banned from Facebook this year in April.

How it happened: The app mishandled Facebook user data by sharing “information with researchers as well as companies with only limited protections in place.”

Source: Business Insider


16. Saks and Lord & Taylor — 5 million

16. Saks and Lord & Taylor — 5 millionNorthfoto/Shutterstock

What was affected: Payment card numbers

When it happened: Details were never shared.

How it happened: “New York-based security firm Gemini Advisory LLC says that a hacking group called JokerStash announced last week that it had put up for sale more than 5 million stolen credit and debit cards, and that the compromised records came from Saks and Lord & Taylor customers.”

Source: Associated Press


15. SheIn.com — 6.42 million

15. SheIn.com — 6.42 millionSheIn.com

What was affected: Email addresses and encrypted passwords for customers’ online store accounts.

When it happened: Sometime in June 2018

How it happened: Hackers carried out “a sophisticated criminal cyberattack on its computer network.”

Source: ZDNet


14. Cathay Pacific Airways — 9.4 million

What was affected: 860,000 passport numbers; 245,000 Hong Kong identity card numbers; 403 expired credit card numbers; and 27 credit card numbers without the card verification value (CVV).

When it happened: Activity was discovered in March 2018

How it happened: Passenger data was accessed “without authorization.”

Source: Reuters


Quora Website Data Breach Hits 100 Million Users


13. Careem — 14 million

13. Careem — 14 millionFaisal Al Nasser/Reuters

What was affected: Names, email addresses, phone numbers, and trip data.

When it happened: January 14, 2018

How it happened: “Access was gained to a computer system that stored customer and driver account information.”

Source: Reuters


12. Timehop — 21 million

12. Timehop — 21 millioniTunes

What was affected: Names, email addresses, and some phone numbers.

When it happened: December 2017 — July 2018

How it happened: “An access credential to our cloud computing environment was compromised … That cloud computing account had not been protected by multifactor authentication.”

Source: Business Insider


11. Ticketfly — 27 million

11. Ticketfly — 27 millionShutterstock

What was affected: Personal information including names, addresses, email addresses, and phone numbers.

When it happened: Late May 2018

How it happened: A hacker called “IsHaKdZ” compromised the site’s webmaster and “gained access to a database titled ‘backstage,’ which contains client information for all the venues, promoters, and festivals that utilize Ticketfly’s services.”

Source: The Verge


10. Facebook — 29 million

10. Facebook — 29 millionWachiwit/Shutterstock

What was affected: Highly sensitive data, including locations, contact details, relationship status, recent searches, and devices used to log in.

When it happened: July 2017 — September 2018

How it happened: “The hackers were able to exploit vulnerabilities in Facebook’s code to get their hands on ‘access tokens’ — essentially digital keys that give them full access to compromised users’ accounts — and then scraped users’ data.”

Source: Business Insider


9. Chegg — 40 million

What was affected: Personal data including names, email addresses, shipping addresses, and account usernames and passwords.

When it happened: April 29, 2018 — September 19, 2018

How it happened: According to Chegg’s SEC filing: “An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib.”

Source: ZDNet


8. Google+ — 52.5 million

8. Google+ — 52.5 millionSean Gallup/Getty Images

What was affected: Private information on Google+ profiles, including name, employer and job title, email address, birth date, age, and relationship status.

When it happened: 2015 — March 2018, November 7 — November 13

How it happened: Earlier this year, Google announced it would be shutting down Google+ after a Wall Street Journal report revealed that a software glitch caused Google to expose the personal profile data of 500,000 Google+ users. Then again in December, Google revealed it had experienced a second data breach that affected 52.5 million users. Google has now decided it will shut down Google+ for good in April 2019.

Source: Wall Street Journal,Google


7. Cambridge Analytica — 87 million

7. Cambridge Analytica — 87 million
Facebook CEO Mark Zuckerberg.
Justin Sullivan/Getty Images

What was affected: Facebook profiles and data identifying users’ preferences and interests.

When it happened: 2015

How it happened: An personality prediction app called “thisisyourdigital life,” developed by a University of Cambridge professor, improperly passed on user information to third parties that included Cambridge Analytica, a data analytics firm that assisted President Trump’s presidential campaign by creating targeted ads using millions of people’s voter data.

Only 270,000 Facebook users actually installed the app, but due to Facebook’s data sharing policies at the time, the app was able to gather data on millions of their friends.

Source: Business Insider


How British spies made a cyber immune system


6. MyHeritage — 92 million

6. MyHeritage — 92 millionGetty Images/William Thomas Cain

What was affected: Email addresses and encrypted passwords of users who have signed up for the service.

When it happened: October 26, 2017

How it happened: “A trove of email addresses and hashed passwords were sitting on a private server somewhere outside of the company.”

Source: Business Insider


5. Quora — 100 million

5. Quora — 100 millioniTunes

What was affected: Account info including names, email addresses, encrypted passwords, data from user accounts linked to Quora, and users’ public questions and answers.

When it happened: Discovered in November 2018

How it happened: A “malicious third party” accessed one of Quora’s systems.

Source: Reuters


4. MyFitnessPal — 150 million

4. MyFitnessPal — 150 millionShutterstock

What was affected: Usernames, email addresses, and encrypted passwords.

When it happened: February 2018

How it happened: An “unauthorized party” gained access to data from user accounts on MyFitnessPal, an Under Armour-owned fitness app.

Source: Business Insider


3. Exactis — 340 million

3. Exactis — 340 millionFlickr / Leonardo Rizzi

What was affected: Detailed information compiled on millions of people and businesses including phone numbers, addresses, personal interests and characteristics, and more.

When it happened: June 2018

How it happened: A security expert spotted a database “with pretty much every US citizen in it” left exposed “on a publicly accessible server,” although it’s unclear whether any hackers accessed the information.

Source: WIRED


2. Marriott Starwood hotels — 500 million

2. Marriott Starwood hotels — 500 millionMarriott International

What was affected: Guest information including phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates.

When it happened: 2014 — September 2018

How it happened: Hackers accessed the reservation database for Marriott’s Starwood hotels, and copied and stole guest information.

Source: Business Insider


1. Aadhar — 1.1 billion

1. Aadhar — 1.1 billionShutterstock

What was affected: Private information on India residents, including names, their 12-digit ID numbers, and information on connected services like bank accounts.

When it happened: It’s unclear when the database was first breached, but it was discovered in March 2018.

How it happened: India’s government ID database, which stores citizens’ identity and biometric info, experienced “a data leak on a system run by a state-owned utility company Indane.” Indane hadn’t secured their API, which is used to access the database, which gave anyone access to Aadhar information.

Source: ZDNet


Source: Business Insider