Careless ‘Whisper’ Leaks Years of User Data

· Andrew Orr · Link

Whisper, an app for people to share their secrets, exposed user data like age, location, and more for years.

The records were viewable on a non-password-protected database open to the public Web. A Post reporter was able to freely browse and search through the records, many of which involved children: A search of users who had listed their age as 15 returned 1.3 million results.

The cybersecurity consultants Matthew Porter and Dan Ehrlich, who lead the advisory group Twelve Security, said they were able to access nearly 900 million user records from the app’s release in 2012 to the present day.

You can never be 100% secure but at least put a damn password on your server.

Someone Stole Clearview AI’s List of Clients

· Andrew Orr · Link

Image containing the words “data breach”

Clearview AI gained notoriety for partnering with law enforcement on facial recognition, using its database of billions of scraped images from the web. But someone just stole its list of clients.

…Clearview AI disclosed to its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the company’s servers were not breached and that there was “no compromise of Clearview’s systems or network.”

Meanwhile, law enforcement on end-to-end encryption: “Who needs that kind of encryption, other than maybe the military? We don’t even — in law enforcement — use encryption like that.”

Wyze Leaks Data of 2.4 Million Security Camera Customers

· Andrew Orr · Link

Wyze makes cheap security cameras for people, cheap in terms of price and now apparently security (ironically). A database of its user data was found exposed on the internet, unsecured.

This included a staggering array of personal information including email addresses, a list of cameras in the house, WiFi SSIDs and even health information including height, weight, gender, bone density and more.

“We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th,” the company said. It denied that it had leaked bone density information, for example, but confirmed it had leaked “body metrics” for a small number of beta testers.

I’m still trying to figure out why a security camera company would have health information.

Database of 1.2 Billion Records Found With Scraped Data

· Andrew Orr · Link

Image containing the words “data breach”

A database filled with 1.2 billion records of data was found on the dark web back in October. I hesitate to call this a data breach because:

While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.

In other words this is all data that people have willingly put on their social media profiles. While it can be used for nefarious purposes (especially phone numbers) this is less of a breach and more of a database of scrapes. Nevertheless I’m using our “data breach” tag.

Amazon Ring Surveillance Cameras Leak Customer Data

· Andrew Orr · Link

Data Leak

Romanian security company Bitdefender found that Amazon Ring doorbell cameras were leaking customer data like Wi-Fi credentials.

Bitdefender researchers have discovered an issue in Amazon’s Ring Video Doorbell Pro IoT device that allows an attacker physically near the device to intercept the owner’s Wi-Fi network credentials and possibly mount a larger attack against the household network.

At the moment of publishing this paper, all Ring Doorbell Pro cameras have received a security update that fixes the issue described herein.

You can view the whitepaper [PDF] here.

Leaked Internal Facebook Documents Reveal Disturbing Information

· Andrew Orr · Link

Facebook logo

Today a trove of 4,000 internal Facebook documents reveal how the social media giant profits off user data and battles rivals.

Here are some of the key revelations from the document dump, including from reports published from earlier leaks:

Facebook wielded its control over user data to hobble rivals like YouTube, Twitter, and Amazon.

Facebook executives quietly planned a data-policy “switcharoo.”

Facebook considered charging companies to access user data.

Facebook whitelisted certain companies to allow them more extensive access to user data, even after it locked down its developer platform throughout 2014 and 2015.

Facebook planned to spy on the locations of Android users.

The PDF can be found here but currently it’s taking forever to load. Grab it while it’s hot.

Travel Platform Autoclerk Just Leaked 179GB of Military Data

· Andrew Orr · Link

Image containing the words “data breach”

Hosted on AWS servers, Autoclerk leaked 179GB of military data containing sensitive personal data of users and hotel guests.

The most surprising victim of this leak wasn’t an individual or company: it was the US government, military, and Department of Homeland Security (DHS). Our team viewed highly sensitive data exposing the personal details of government and military personnel, and their travel arrangements to locations around the world, both past and future. This represented a massive breach of security for the governmentagencies and departments impacted.

Your X-Ray Images and Medical Data Are Available on the Internet

· Andrew Orr · Link

ProPublica investigation revealed that medical images and health data are often stored in insecure servers that are easily accessible to anyone with a bit of computer knowledge.

We identified 187 servers — computers that are used to store and retrieve medical data — in the U.S. that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers and mobile X-ray services.

All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates and, in some cases, Social Security numbers.

That Recent Data Breach Might Not Be Limited to Capital One

· Andrew Orr · Link

The Capital One data breach might not have bene limited to the bank. Other companies could’ve been affected too, according to Slack messages from the hacker Paige Thompson.

Reports from Forbes and security reporter Brian Krebs indicating that Capital One may not have been the only company affected, pointing to “one of the world’s biggest telecom providers, an Ohio government body, and a major U.S. university,” according to Slack messages sent by the alleged hacker.

Krebs posted a screenshot of a list of files purportedly stolen by the alleged hacker. The stolen data contained filenames including car maker “Ford” and Italian financial services company “Unicredit.”

MongoDB Database Exposed 188 Million Records

· Andrew Orr · News

Image containing the words “data breach”

An exposed MongoDB database was found on June 18, 2019, containing 188 million records with personal information, just laying out in the open.

Over 2 Billion User Records Exposed in Orvibo Data Breach

· Andrew Orr · Link

Image containing the words “data breach”

Orvibo makes smart home products, and researchers found a leak in its database that exposed over two billion user records. This included usernames, email addresses, passwords, and precise locations.

The data breach affects users from around the world. We found logs for users in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. We expect that there are more users represented in the 2 billion plus logs.

We first contact Orvibo via email on June 16. When we didn’t receive a response after several days, we also tweeted the company to alert them to the breach. They still have not responded, nor has the breach been closed.

Utterly ridiculous. It’s one thing to leak data, and other thing to ignore the problem and not fix it.

Facebook Marketing Agency xSocialMedia Leaks Medical Data

· Andrew Orr · Link

Data Leak

xSocialMedia, a marketing agency on Facebook that runs campaigns for medical malpractice lawsuits, has leaked medical and other data for about 150,000 people.

vpnMentor notes that xSocialMedia might not be subject to HIPAA compliance because patients are free to disclose their health information to the parties of their choice – in this case, by inputting it into a form on one of the advertising firm’s sites.

vpnMentor says it discovered the leak on 2 June. xSocialMedia responded on 11 June and closed the database up on the same day.

What a nice bit of information to wake up to.