"haveibeenpwned"

Comcast assigned every mobile customer the same unchangeable PIN to protect against SIM hijack attacks: 0000

If someone wants to steal your phone number -- say, to intercept the two-factor authentication SMSes needed to break into your bank account or other vital service -- they hijack your SIM by impersonating you to your phone company (or by bribing someone at the company to reassign your phone number to them), and this has made the security of phone numbers into a top concern for security experts and telcoms companies, as there are millions of dollars at stake. Read the rest

Largest dump in history: 2.7 billion records; 773 million of them unique; 140 million never seen before

A dump called "Collection #1" has been released by parties unknown, containing email addresses and cracked passwords: in its raw form, it contains 2.7 billion records, which Troy "Have I Been Pwned" Hunt (previously) de-duplicated to come up with 773 million unique records -- of those 140,000,000 email addresses and 10,000,000 passwords have never been seen in the HaveIBeenPwned database before. Read the rest

Facebook says giving Cambridge Analytica info on 50 million people wasn't a “breach.” It was a feature

Writing for Bloomberg Businessweek, Paul Ford says Facebook's "not-a-breach" of personal information on 50 millions of its users is just the latest example of why it's time for a digital protection agency.

Facebook’s recent debacle is illustrative. It turns out that the company let a researcher spider through its social network to gather information on 50 million people. Then the Steve Bannon-affiliated, Robert Mercer-backed U.K. data analysis firm Cambridge Analytica used that data to target likely Trump voters. Facebook responded that, no, this was not a “breach.”

OK, sure, let’s not call it a breach. It’s how things were designed to work. That’s the problem.

...

How might a digital EPA function? Well, it could do some of the work that individuals do today. For example, the website of Australian security expert Troy Hunt, haveibeenpwned.com (“pwned” is how elite, or “l33t,” hackers, or “hax0rs,” spell “owned”), keeps track of nearly 5 billion hacked accounts. You give it your email, and it tells you if you’ve been found in a data breach. A federal agency could and should do that work, not just one very smart Australian—and it could do even better, because it would have a framework for legally exploring, copying, and dealing with illegally obtained information. Yes, we’d probably have to pay Booz Allen or Accenture or whatever about $120 million to get the same work done that Troy Hunt does on his own, but that’s the nature of government contracting, and we can only change one thing at a time.

Read the rest

Discus breached 17.5 million user accounts in 2012, then did everything right about it in 2017

This weekend, we learned that Discus -- the commenting system we once used here on Boing Boing -- suffered a breach in 2012 in which 17.5m user accounts (email addresses, signup names, account activity dates and some unsalted, weakly encrypted passwords) were stolen. Read the rest

Download 306,000,000 cracked passwords and make sure you're not using one of them

Troy Hunt, proprietor of the Have I Been Pwned? service, has made 306,000,000 known-cracked passwords available as a download -- you can grab the set and make sure that yours isn't among them, as these cracked passwords are the ones that are likely being used by hackers when they do brute-force attacks against encrypted password files. Read the rest

Security researchers repeatedly warned Kids Pass about bad security, only to be ignored and blocked

Kids Pass is a service that offers discounts on family activities in the UK; their website makes several common -- and serious -- security problems that could allow hackers to capture their users' passwords, which endangers those users' data on other services where they have (unwisely) recycled those same passwords. Read the rest

How companies should plan for, and respond to, security breaches

Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers' data; undersecured it; and then failed to warn their customers that they were at risk. Read the rest

Collapsing "connected toy" company did nothing while hackers stole millions of voice recordings of kids and parents

Spiral Toys -- a division of Mready, a Romanian electronics company that lost more than 99% of its market-cap in 2015 -- makes a line of toys called "Cloudpets," that use an app to allow parents and children to exchange voice-messages with one another. They exposed a database of millions of these messages, along with sensitive private information about children and parents, for years, without even the most basic password protections -- and as the company imploded, they ignored both security researchers and blackmailers who repeatedly contacted them to let them know that all this data was being stolen. Read the rest

Decision to retain personally identifying information puts Australian census under threat

Without an accurate census, it's virtually impossible to make good national policy, which is why so many countries make census participation mandatory (when former Canadian Prime Minister Stephen "Dumpster Fire" Harper made the long-form census optional, statisticians and policy wonks quailed) -- which is why the Australian government's decision to collect and retain -- for 10 years -- personally identifying information on census participants is such a big deal. Read the rest

Anal fisting site breached: 100K passwords, usernames, email addresses and IPs extracted

Rosebuttboard.com is a forum for people whose sexual activities include inserting large items into their anuses; the site has been breached by a hacker, who now has details on over 100,000 of its users. Read the rest

Vtech breach dumps 4.8m families' information, toy security is to blame

Vtech is a ubiquitous Hong Kong-based electronic toy company whose kiddy tablets and other devices are designed to work with its cloud service, which requires parents to set up accounts for their kids. 4.8 million of those accounts just breached, leaking a huge amount of potentially compromising information, from kids' birthdays and home addresses to parents passwords and password hints. Read the rest