According to a notice [PDF] from J.Crew, someone hacked the company last year. For some reason we’re only finding out about it today, a year later.
“The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders,” J.Crew’s data breach notification explains.
You know, sometimes when I write about this stuff, like Facebook doing every bad thing under the sun with our data, I stop and think: “Am I just a cynical a**hole?” Then, when yet another idiot company has a data breach, I realize, no I’m just reporting reality. These companies deserve to be named and shamed.
Forensic company BlackBag, a Cellebrite company, recently found that locked Apple Notes are temporarily stored in an insecure state.
Let’s Encrypt announced on Saturday, February 29 that it discovered a bug in its Certification Authority Authorization (CAA) code.
A service I recently discovered is URL Canary. It creates a honeypot URL that you can then put in a location such as your cloud storage. It alerts you if that URL has been accessed.
URL Canary will catch automated robots and crawlers, as well as manual human attackers. The only time it won’t catch an attacker is if they don’t see the canary, or they don’t find it sufficiently-compelling and opt not to visit it. Since you have control of the URL and the domain name, you can make your canaries as compelling as possible for your specific use case.
There’s a similar service I know of called CanaryTokens.
Sir Andrew Parker is the head of MI5, the UK’s domestic security service. He wants tech firms to provide “exceptional access” to encrypted messages.
In an ITV interview to be broadcast on Thursday, Sir Andrew Parker says he has found it “increasingly mystifying” that intelligence agencies like his are not able to easily read secret messages of terror suspects they are monitoring.
Bah, this is smoke and mirrors. As the head of a security agency he knows that restricting backdoors to the good guys is impossible.
Clearview AI gained notoriety for partnering with law enforcement on facial recognition, using its database of billions of scraped images from the web. But someone just stole its list of clients.
…Clearview AI disclosed to its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the company’s servers were not breached and that there was “no compromise of Clearview’s systems or network.”
Meanwhile, law enforcement on end-to-end encryption: “Who needs that kind of encryption, other than maybe the military? We don’t even — in law enforcement — use encryption like that.”
HackerOne is a bug bounty platform that connects companies with security researchers. Recently, when researchers used the platform to disclose six PayPal vulnerabilities, they were punished.
When our analysts discovered six vulnerabilities in PayPal…we were met with non-stop delays, unresponsive staff, and lack of appreciation…When we pushed the HackerOne staff for clarification on these issues, they removed points from our Reputation scores, relegating our profiles to a suspicious, spammy level.
This happened even when the issue was eventually patched, although we received no bounty, credit, or even a thanks…We’ll assume that HackerOne’s response is representative of PayPal’s response.
Researchers found that location data can be leaked to apps on iOS and iPadOS via the clipboard. Apple doesn’t see it as a problem.