Marriott now lets you check if you’re a victim of the Starwood hack

Hotel chain giant Marriott will now let you check if you’re a victim of the Starwood hack. The company confirmed to TechCrunch that it has put in place “a mechanism to enable guests to look up individual passport numbers to see if they were included in the set of unencrypted passport numbers.” That follows a statement […]

Hotel chain giant Marriott will now let you check if you’re a victim of the Starwood hack.

The company confirmed to TechCrunch that it has put in place “a mechanism to enable guests to look up individual passport numbers to see if they were included in the set of unencrypted passport numbers.” That follows a statement last month from the company confirming that five million unencrypted passport numbers were stolen in the data breach last year.

The checker, hosted by security firm OneTrust, will ask for some personal information, like your name, email address, as well as the last six-digits of your passport number.

Marriott says data on “fewer than 383 million unique guests” was stolen in the data breach, revealed in September, including guest names, postal addresses, phone numbers, dates of birth, genders, email addresses and reservation information. Later it transpired that more than 20 million encrypted passport numbers were also stolen, along with 8.6 million unique payment card numbers. Marriott said only 354,000 cards were active and unexpired at the time of the breach in September.

Opening up the checker to the wider public is a bright spot in what’s been a fairly atrocious incident recovery by Marriott since the breach. The company’s initial response was plagued with hiccups and missteps that many security experts stepped in to fill in the gaps at their own expense.

The checker won’t kick back a result straight away — you’ll have to wait for a response — and Marriott doesn’t say how long that’ll take. There is a certain irony in having to turn over your own data — not least to a third-party — to be told if you’re a victim of a breach. It’s literally the last thing any breach victim wants to do: hand over even their more of their personal information. But that’s the world we’re living in, and everything is terrible.

Use the checker at your own risk.

Marriott now lets you check if you’re a victim of the Starwood hack

Hotel chain giant Marriott will now let you check if you’re a victim of the Starwood hack. The company confirmed to TechCrunch that it has put in place “a mechanism to enable guests to look up individual passport numbers to see if they were included in the set of unencrypted passport numbers.” That follows a statement […]

Hotel chain giant Marriott will now let you check if you’re a victim of the Starwood hack.

The company confirmed to TechCrunch that it has put in place “a mechanism to enable guests to look up individual passport numbers to see if they were included in the set of unencrypted passport numbers.” That follows a statement last month from the company confirming that five million unencrypted passport numbers were stolen in the data breach last year.

The checker, hosted by security firm OneTrust, will ask for some personal information, like your name, email address, as well as the last six-digits of your passport number.

Marriott says data on “fewer than 383 million unique guests” was stolen in the data breach, revealed in September, including guest names, postal addresses, phone numbers, dates of birth, genders, email addresses and reservation information. Later it transpired that more than 20 million encrypted passport numbers were also stolen, along with 8.6 million unique payment card numbers. Marriott said only 354,000 cards were active and unexpired at the time of the breach in September.

Opening up the checker to the wider public is a bright spot in what’s been a fairly atrocious incident recovery by Marriott since the breach. The company’s initial response was plagued with hiccups and missteps that many security experts stepped in to fill in the gaps at their own expense.

The checker won’t kick back a result straight away — you’ll have to wait for a response — and Marriott doesn’t say how long that’ll take. There is a certain irony in having to turn over your own data — not least to a third-party — to be told if you’re a victim of a breach. It’s literally the last thing any breach victim wants to do: hand over even their more of their personal information. But that’s the world we’re living in, and everything is terrible.

Use the checker at your own risk.

Hacker who stole 620 million records strikes again, stealing 127 million more

A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from 8 more websites, TechCrunch has learned. The hacker, whose was listing the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites — […]

A hacker who stole close to 620 million user records from 16 websites has stolen another 127 million records from 8 more websites, TechCrunch has learned.

The hacker, whose was listing the previously disclosed data for about $20,000 in bitcoin on a dark web marketplace, stole the data last year from several major sites — some that had already been disclosed, like over 151 million records from MyFitnessPal and 25 million records from Animoto. But several other hacked sites on the marketplace listing didn’t know or hadn’t disclosed yet — such as 500px and Coffee Meets Bagel.

The Register, which first reported the story, said the data included names, email addresses, and scrambled passwords, and in some cases other login and account data — though, no financial data was included.

Now the same hacker has 8 additional marketplace entries after their original listings were pulled offline, including:

  • 18 million records from travel booking site Ixigo
  • Live video streaming site YouNow had 40 million records stolen
  • Houzz, which recently disclosed a data breach, is listed with 57 million records stolen
  • Ge.tt had 1.8 million accounts stolen
  • 450,000 records from cryptocurrency site Coinmama.
  • Roll20, a gaming site, had 4 million records listed
  • Stronghold Kingdoms, a multiplayer online game, had 5 million records listed
  • 1 million records from pet delivery service Petflow

According to the hacker’s listings, Ixigo and Petflow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. YouNow is said to have not scrambled user passwords at all.

In all, the hacker is selling the hacked data for about 4 bitcoin — or $14,500.

The dark web marketplace listing for Houzz. (Image: TechCrunch)

Ariel Ainhoren, research team leader at Israeli security firm IntSights, said that the hacker may have used the same security flaw to target vulnerable sites.

Six of the 16 databases were running the same back-end PostgreSQL database software, said Ainhoren in an email to TechCrunch. In successfully exploiting the bug, the hacker was able to “dump” the database to a file and download it.

“We’re still analyzing it, but it could have been that he used some kind of vulnerability that surfaced around that time and wasn’t patched by these companies or a totally new unknown vulnerability,” he said. “As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it.”

When reached, Jonathan Katz, a contributor for PostgreSQL, said the open-source project was “currently unaware of any patched or unpatched vulnerabilities that could have caused these breaches.”

“There are many factors that need to be taken into consideration when securing a database system that go beyond the database software. We have often found that data breaches into a PostgreSQL database involve an indirect attack attack vector, such as a flaw in an application accessing PostgreSQL or a suboptimal policy around data management,” he said. “When it comes to vulnerabilities, the PostgreSQL community has a dedicated security team that evaluates and fixes issues and, in the spirit of open source collaboration, transparently reports on and educates our users about them.”

None of the other companies immediately returned a request for comment, except YouNow, which said that its “security experts are looking into this situation but we cannot respond until we have more information.”

We’ll have more as we get it.

Singapore says personal details of 14,200 HIV patients were posted online

For the second time inside a year, private health information belonging to people in Singapore has been compromised. Following a hack disclosed last summer that affected the patient records of up to 1.5 million citizens, Singapore’s Ministry of Health revealed today that personal details and the HIV-positive status of 14,200 people were posted online by a convinced […]

For the second time inside a year, private health information belonging to people in Singapore has been compromised.

Following a hack disclosed last summer that affected the patient records of up to 1.5 million citizens, Singapore’s Ministry of Health revealed today that personal details and the HIV-positive status of 14,200 people were posted online by a convinced fraudster.

Unlike last year’s data breach — which was caused by what appears to be a targeted cyber attack — the details this time around where exposed by unauthorized access to the ministry’s HIV Registry, which occurred in person.

Mikhy K Farrera Brochez, a U.S. citizen who spent over eight years in Singapore before being deported last year over fraud and drug-related offences, is said to have posted the information on the internet after he gained access to it via his partner Ler Teck Siang, a doctor who once led the Ministry of Health’s National Public Health Unit.

It isn’t clear where the details were posted, but the ministry said access to the leak has been “disabled.” However, since Brochez is believed to have retained details in person, it is entirely possible that they may appear again. In a bid to mitigate that threat, the Singapore government is “working with relevant parties to scan the Internet for signs of further disclosure of the information” and ” “seeking assistance from… foreign counterparts.”

“We are sorry for the anxiety and distress caused by this incident. Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance,” the ministry wrote in an announcement.

It urged anyone who comes into contact with the information to turn it in and “not further share it.”

The registry lists the name, ID number, phone number, email address, HIV test results and related medical information for 5,400 Singapore nations who were diagnosed with HIV up to January 2013. It includes the same details for 8,800 foreigners as of December 2011, and the details of 2,400 related contacts up to May 2007.

The government introduced system safeguards in September 2016 to limit the potential for rogue access to the data. That included a two-person approval process for data downloads, a dedicated workstation to prevent unauthorized access, and the disabling on portable storage devices that could be used to transport information.

Police were first alerted that Brochez was in possession of the data in May 2016. It wasn’t until two years later that they were told that he had retained the information. Despite an investigation, they learned Brochez had disclosed the details online just over one week ago.

Brochez is currently located outside of Singapore. He worked in the country between 2008 and 2016, but was charged for faking his HIV test result using Ler’s blood and using fake qualifications to earn a work permit. After completing a two-year sentence, he was deported in May 2018

Ler is waiting on an appeal after he was handed a two-year jail term for abetting Brochez, providing false information to authorities and failing to take care of confidential information.

Massive mortgage and loan data leak gets worse as original documents also exposed

Remember that massive data leak of mortgage and loan data we reported on Wednesday? In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over […]

Remember that massive data leak of mortgage and loan data we reported on Wednesday?

In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren’t easy to read. That said, it was possible to discern names, addresses, birth dates, Social Security numbers and other private financial data by anyone who knew where to find the server.

Independent security researcher Bob Diachenko and TechCrunch traced the source of the leaking database to a Texas-based data and analytics company, Ascension. When reached, the company said that one of its vendors, OpticsML, a New York-based document management startup, had mishandled the data and was to blame for the data leak.

It turns out that data was exposed again — but this time, it was the original documents.

Diachenko found the second trove of data in a separate exposed Amazon S3 storage server, which too was not protected with a password. Anyone who went to an easy-to-guess web address in their web browser could have accessed the storage server and see — and download — the files stored inside.

In a note to TechCrunch, Diachenko said he was “very surprised” to find the server in the first place, let alone open and accessible. Because Amazon storage servers are private by default and aren’t accessible to the web, someone would have made a conscious decision to set its permissions to public.

The bucket contained 21 files containing 23,000 pages of PDF documents stitched together — or about 1.3 gigabytes in size. Diachenko said that portions of the data in the exposed Elasticsearch database on Wednesday matched data found in the Amazon S3 bucket, confirming that some or all of the data is the same as what was previously discovered. Like in Wednesday’s report, the server contained documents from banks and financial institutions across the U.S., including loans and mortgage agreements. We also found documents from U.S. Department of Housing and Urban Development, as well as W-2 tax forms, loan repayment schedules, and other sensitive financial information.

Two of the files — redacted — found on the exposed storage server. (Image: TechCrunch)

Many of the files also contained names, addresses, phone numbers, and Social Security numbers, and more.

When we tried to reach OpticsML on Wednesday, its website had been pulled offline and the listed phone number was disconnected. After scouring through old cached version of the site, we found an email address.

TechCrunch emailed chief executive Sean Lanning, and the bucket was secured within the hour.

Lanning acknowledged our email but did not comment. Instead, OpticsML chief technology officer John Brozena confirmed the breach in a separate email, but declined to answer several questions about the exposed data — including how long the bucket was open and why it was set to public.

“We are working with the appropriate authorities and a forensic team to analyze the full extent of the situation regarding the exposed Elasticsearch server,” said Brozena. “As part of this investigation we learned that 21 documents used for testing were made identifiable by the previously discussed Elasticsearch leak. These documents were taken offline promptly.”

He added that OpticsML is “working to notify all affected parties” when asked about informing customers and state regulators, as per state data breach notification laws.

But Diachenko said there was no telling how many times the bucket might have been accessed before it was discovered.

“I would assume that after such publicity like these guys had, first thing you would do is to check if your cloud storage is down or, at least, password-protected,” he said.

Youth-run agency AIESEC exposed over 4 million intern applications

AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password. Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database […]

AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.

Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.

The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship, according to Diachenko’s blog post on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time when an application was rejected.

AIESEC, which has more than 100,000 members in 126 countries, said the database was inadvertently exposed 20 days prior to Diachenko’s notification — just before Christmas — as part of an “infrastructure improvement project.”

The database was secured the same day of Diachenko’s private disclosure.

Laurin Stahl, AEISEC’s global vice president of platforms, confirmed the exposure to TechCrunch but claimed that no more than 40 users were affected.

Stahl said that the agency had “informed the users who would most likely be on the top of frequent search results” in the database — some 40 individuals, he said — after the agency found no large requests of data from unfamiliar IP addresses.

“Given the fact that the security researcher found the cluster, we informed the users who would most likely be on the top of frequent search results on all indices of the cluster,” said Stahl. “The investigation we did over the weekend showed that no more than 50 data records affecting 40 users were available in these results.”

Stahl said that the agency informed Dutch data protection authorities of the exposure three days after the exposure.

“Our platform and entire infrastructure is still hosted in the EU,” he said, despite its recently relocation to headquarters in Canadia.

Like companies and organizations, non-profits are not exempt from European rules where EU citizens’ data is collected, and can face a fine of up to €20 million or four percent — whichever is higher — of their global annual revenue for serious GDPR violations.

It’s the latest instance of an Elasticsearch instance going unprotected.

A massive database leaking millions of real-time SMS text message data was found and secured last year, a popular massage service, and phone contact lists on five million users from an exposed emoji app.

Monster Data Leak Exposes Millions of Passwords

A monster data leak called Collection #1 has been discovered. Collection #1 contains hundreds of millions of email addresses and tens of millions of passwords. Luckily, the data has been loaded into Have I Been Pwned, so it’s easy to see if you have been affected. Data leaks seem to be getting more common. In 2015, there was the Ashley Madison leak, and in 2016, there was the AdultFriendFinder leak. However, the biggest so far is the Yahoo data leak, which saw all 3 billion Yahoo users affected. And now this… Collection #1 Leaks Data Online As detailed by Troy…

Read the full article: Monster Data Leak Exposes Millions of Passwords

A monster data leak called Collection #1 has been discovered. Collection #1 contains hundreds of millions of email addresses and tens of millions of passwords. Luckily, the data has been loaded into Have I Been Pwned, so it’s easy to see if you have been affected.

Data leaks seem to be getting more common. In 2015, there was the Ashley Madison leak, and in 2016, there was the AdultFriendFinder leak. However, the biggest so far is the Yahoo data leak, which saw all 3 billion Yahoo users affected. And now this…

Collection #1 Leaks Data Online

As detailed by Troy Hunt of Have I Been Pwned, a monster data leak has recently been doing the rounds. Collection #1 first appeared on MEGA, before being shared on a hacking forum. This means your login credentials may have been exposed to hackers.

Collection #1 is mostly a compilation of previous data breaches. This means that even if your email address has been targeted, it may be from an old security incident. This hopefully means you’ve already changed your password, as you should do so regularly.

Have You Been Pwned by This Leak?

You can check whether your email address and/or password was leaked using Have I Been Pwned. Just head to the site and type your email address where indicated. You’ll then be informed whether your credentials have been leaked, or, as Hunt puts it, pwned.

If your email and/or password doesn’t show up then you’re fine. However, if it does show up on Have I Been Pwned you should change the password(s) associated with that account immediately. You should also avoid recycling the same password on multiple sites.

Learn to Protect Your Passwords

It’s always disheartening to learn that your credentials have been leaked. However, it’s a good wakeup call to start using better security practices. Always enable 2FA when it’s offered, and consider using a password manager. Here are the best password managers.

Image Credit: Marco Verch/Flickr

Read the full article: Monster Data Leak Exposes Millions of Passwords

SecureData Launches First Ever App-Based Unlock for Secure Data Storage

SecureData SecureDrive CES 2019 Featured

The UK-based security company SecureData has released two hardware-encrypted portable data storage devices that feature secure wireless user authentication: the SecureDrive BT hard drive and the SecureUSB BT flash drive. Previous generations, like the secure USB KP, come with an onboard keypad to unlock the device using a PIN. Being the first of their kind, the SecureDrive BT and SecureUSB BT received a CES 2019 Innovation Award in the computer accessories category. They were also awarded in the cyber security and personal privacy categories. Users can unlock the AES256-bit XTS encrypted device using the DataLock mobile app, which is available…

Read the full article: SecureData Launches First Ever App-Based Unlock for Secure Data Storage

SecureData SecureDrive CES 2019 Featured

The UK-based security company SecureData has released two hardware-encrypted portable data storage devices that feature secure wireless user authentication: the SecureDrive BT hard drive and the SecureUSB BT flash drive.

SecureData SecureDrive CES 2019 1

Previous generations, like the secure USB KP, come with an onboard keypad to unlock the device using a PIN.

SecureData SecureDrive CES 2019 2

Being the first of their kind, the SecureDrive BT and SecureUSB BT received a CES 2019 Innovation Award in the computer accessories category. They were also awarded in the cyber security and personal privacy categories.

Users can unlock the AES256-bit XTS encrypted device using the DataLock mobile app, which is available for Android and iOS. For Apple users, the app supports TouchID, FaceID, and unlocking from the Apple Watch.

By default, the app comes with a remote wipe feature. In a corporate or government environment, administrators can manage user device access, review access logs, and unlock additional app features through the secure web-based DataLock BT Web Console, provided by SecureData’s partner ClevX. The subscription-based web console is an optional service.

SecureData SecureDrive CES 2019 3

The console also allows geo and time-fencing, meaning users can unlock the app only within a pre-defined area or time. The geofencing feature requires a GPS connection to unlock the storage unit. SecureData did not comment on how they could protect the app against geo spoofing.

Since the encryption happens on the device itself, you can use the SecureData BT and the SecureUSB BT with any operating system and device, as long as it has a USB port. This means you could plug it into your TV or printer.

The SecureDrive BT is available as an HDD (1-5TB) or SSD (150GB to 8TB).

SecureDrive BT 1 TB Hardware Encrypted Portable External Drive SecureDrive BT 1 TB Hardware Encrypted Portable External Drive Buy Now At Amazon $229.00

The SecureUSB BT is available in 16, 32, and 64GB versions.

SecureData SecureUSB BT 256-bit Hardware Encrypted USB 3.0 Flash Drive FIPS Compliant - Unlock Over Bluetooth via Mobile App (16 GB) SecureData SecureUSB BT 256-bit Hardware Encrypted USB 3.0 Flash Drive FIPS Compliant - Unlock Over Bluetooth via Mobile App (16 GB) Buy Now At Amazon $119.00

When bought directly through SecureData, both devices include a one-year subscription for the web-based management console.

Many competitors offer hardware-encrypted storage devices with a keypad, but SecureData is the first to hit the market with an app-based wireless solution. While the wireless unlock mechanism is a potential weak spot, it does feature state-of-the-art encryption and replaces a keypad that could wear down over time.

Read the full article: SecureData Launches First Ever App-Based Unlock for Secure Data Storage

Facebook Bug Exposes Users’ Photos

A Facebook bug has exposed the private photos of up to 6.8 million users. The bug means thousands of third-party apps had potential access to photos they didn’t have permission to view. The worst thing is the amount of time Facebook took to disclose the incident. Facebook’s Very Bad Year It’s fair to say Facebook hasn’t had a good 2018. There was the Cambridge Analytica scandal everyone should be familiar with by now. And over a backdrop of people deleting Facebook, the social network has had ongoing issues maintaining people’s trust. The issues run deep, with Facebook battling the spread…

Read the full article: Facebook Bug Exposes Users’ Photos

A Facebook bug has exposed the private photos of up to 6.8 million users. The bug means thousands of third-party apps had potential access to photos they didn’t have permission to view. The worst thing is the amount of time Facebook took to disclose the incident.

Facebook’s Very Bad Year

It’s fair to say Facebook hasn’t had a good 2018. There was the Cambridge Analytica scandal everyone should be familiar with by now. And over a backdrop of people deleting Facebook, the social network has had ongoing issues maintaining people’s trust.

The issues run deep, with Facebook battling the spread of fake news, advertising campaigns with the potential to influence elections, and a seemingly lax attitude to users’ data and privacy. And now we get the news that private photos were exposed to apps.

Facebook Discloses New Bug

Facebook disclosed the incident in a Facebook for Developers Blog post. The social network explains that this bug affected “people who used Facebook Login and granted permission to third-party apps to access their photos”.

Users sometimes give apps permission to access photos they share on their timeline. However, this bug meant that for 12 days developers could also access other photos shared on Facebook, and even photos people uploaded but then decided not to post.

The bug in question was live between September 13 and September 25, 2018. Facebook discovered and duly fixed the bug on the 25th. However, it has taken almost three months for Facebook to notify the developers affected and, by extension, the users affected.

Facebook is “sorry this happened,” and is rolling out tools to help developers “determine which people using their app might be impacted by this bug.” Those people will then be notified, and directed to a Help Center link explaining the issue in more detail.

Fingers Crossed for 2019

This tops off an annus horribilis for Facebook, and we really hope 2019 brings better fortune. Not for Facebook’s sake, but for the sake of its users. Otherwise Facebook et al might find that everyone collectively decides to quit social media altogether.

Image Credit: Marco Verch/Flickr

Read the full article: Facebook Bug Exposes Users’ Photos

Quora Got Hacked: 100 Million Users Affected

Quora has been hacked. The result is that up to 100 million Quora users may have had their data accessed by an as-yet-unknown third party. Quora is actively investigating the incident, and has already taken various steps to improve its security. For the uninitiated, Quora is a Q&A website which pairs people who have questions with people who have the answers. It’s a fascinating website, and you’re guaranteed to learn something new every time you visit. Including that Quora itself has suffered a data breach. Quora Reveals It Has Been Hacked Quora CEO Adam D’Angelo disclosed the incident in this…

Read the full article: Quora Got Hacked: 100 Million Users Affected

Quora has been hacked. The result is that up to 100 million Quora users may have had their data accessed by an as-yet-unknown third party. Quora is actively investigating the incident, and has already taken various steps to improve its security.

For the uninitiated, Quora is a Q&A website which pairs people who have questions with people who have the answers. It’s a fascinating website, and you’re guaranteed to learn something new every time you visit. Including that Quora itself has suffered a data breach.

Quora Reveals It Has Been Hacked

Quora CEO Adam D’Angelo disclosed the incident in this Quora Security Update. In the post, he revealed that “some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party.”

The hacker gained unauthorized access to one of Quora’s systems. And certain information for “approximately 100 million Quora users” may have been compromised. This information includes:

  • The name, email address, and encrypted password you have associated with your account. Thankfully, Quora has stated that passwords are “hashed using bcrypt with a salt that varies for each user”.
  • Public content and actions, which means the questions, answers, comments, and upvotes you have made on the site.
  • Non-public content and actions, which means answer requests, downvotes, and direct messages which aren’t otherwise visible.

There is also a risk that “data imported from linked networks when authorized by users” may have been accessed. Quora lets users sign in using Google or Facebook, so this could potentially spell disaster. Thankfully, there’s no financial information at risk here.

Change Your Quora Password, ASAP

Quora has both its internal security team and a digital forensics company investigating the incident. And it has also notified law enforcement. The company is currently notifying all users whose data has been compromised in the hack.

As is always best practice after a data breach, you should change your password ASAP. In fact, Quora has logged all affected users out of the site, and if you’re one of them you’ll need to change your password when prompted.

Read the full article: Quora Got Hacked: 100 Million Users Affected