Security expert Alon Gal reports that the personal data of 533m Facebook users was dropped on the Internet. Some will loathe the fact that the phone numbers associated with their accounts were released for all to see, for the low, low price of free. — Read the rest
If someone wants to steal your phone number — say, to intercept the two-factor authentication SMSes needed to break into your bank account or other vital service — they hijack your SIM by impersonating you to your phone company (or by bribing someone at the company to reassign your phone number to them), and this has made the security of phone numbers into a top concern for security experts and telcoms companies, as there are millions of dollars at stake.
A dump called "Collection #1" has been released by parties unknown, containing email addresses and cracked passwords: in its raw form, it contains 2.7 billion records, which Troy "Have I Been Pwned" Hunt (previously) de-duplicated to come up with 773 million unique records — of those 140,000,000 email addresses and 10,000,000 passwords have never been seen in the HaveIBeenPwned database before.
Writing for Bloomberg Businessweek, Paul Ford says Facebook's "not-a-breach" of personal information on 50 millions of its users is just the latest example of why it's time for a digital protection agency.
— Read the rest
Facebook's recent debacle is illustrative. It turns out that the company let a researcher spider through its social network to gather information on 50 million people.
This weekend, we learned that Discus — the commenting system we once used here on Boing Boing — suffered a breach in 2012 in which 17.5m user accounts (email addresses, signup names, account activity dates and some unsalted, weakly encrypted passwords) were stolen.
Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download — you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files.
Kids Pass is a service that offers discounts on family activities in the UK; their website makes several common — and serious — security problems that could allow hackers to capture their users' passwords, which endangers those users' data on other services where they have (unwisely) recycled those same passwords.
Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers' data; undersecured it; and then failed to warn their customers that they were at risk.
Spiral Toys — a division of Mready, a Romanian electronics company that lost more than 99% of its market-cap in 2015 — makes a line of toys called "Cloudpets," that use an app to allow parents and children to exchange voice-messages with one another. — Read the rest
Without an accurate census, it's virtually impossible to make good national policy, which is why so many countries make census participation mandatory (when former Canadian Prime Minister Stephen "Dumpster Fire" Harper made the long-form census optional, statisticians and policy wonks quailed) — which is why the Australian government's decision to collect and retain — for 10 years — personally identifying information on census participants is such a big deal.
Rosebuttboard.com is a forum for people whose sexual activities include inserting large items into their anuses; the site has been breached by a hacker, who now has details on over 100,000 of its users.
Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints.