Data from facial recognition scans performed by US Customs and Border Patrol on travelers crossing at an unnamed lander border point (an anonymous source says it's a US-Canada crossing) have been stolen by hacker or hackers unknown. Read the rest

Quest Diagnostics is one of America's biggest medical testing companies; they have warned securities regulators that they lost 12,000,000 customer records (credit card numbers, bank account information, medical information, Social Security Numbers, and other personal information) due to a breach at ACMA, a collection agency they used. Read the rest

First American Financial Corp is a Fortune 500 company that insures titles on peoples' property; their insecure website exposed 885,000,000 records for property titles, going back 16 years, including bank accounts (with scanned statements), Social Security numbers, wire transaction receipts, scanned drivers' licenses, tax records, mortgage records, etc -- when notified of the error, the company (which employs 18,000 people and grossed more than $5.7B last year) closed the misconfiguration. Read the rest

OG Users is a forum for people who steal login credentials for online services, mostly to sell desirable login-names for popular services like Instagram; it attained notoriety when Motherboard's Lorenzo Franceschi-Bicchierai linked the forum to an epidemic of SIM-swapping attacks; a few months later, the Reply All podcast devoted an episode to the forum. Read the rest

Writing on Techcrunch, Zack Whittaker (previously) calls out the timeworn phrase "we take your privacy and security seriously," pointing out that this phrase appears routinely in company responses to horrific data-breaches, and it generally accompanied by conduct that directly contradicts it, such as stonewalling and minimizing responsibility for breaches and denying their seriousness. "We take your privacy and security seriously" is really code for "Please stop asking us to take your privacy and security seriously." Read the rest

A dump called "Collection #1" has been released by parties unknown, containing email addresses and cracked passwords: in its raw form, it contains 2.7 billion records, which Troy "Have I Been Pwned" Hunt (previously) de-duplicated to come up with 773 million unique records -- of those 140,000,000 email addresses and 10,000,000 passwords have never been seen in the HaveIBeenPwned database before. Read the rest

After a successful phishing attack that captured over 50 accounts, hackers stole 500,000 records from the San Diego Unified School District, for staff, current students, and past students going all the way back to 2008; including SSNs, home addresses and phone numbers, disciplinary files, health information, emergency contact details, health benefits and payroll info, pay information, financial data for direct deposits. Read the rest

Facebook has notified 6.8 million users that, due to a bug, the company allowed its third-party developers to access all the users' photos, including those marked as private. Read the rest

Equifax doxed 145 million Americans, dumping their most sensitive financial data into the world forever, with repercussions that will be felt for decades to come. Read the rest

Long before Quora admitted to being breached and losing 100,000,000 million users' account data, it had disqualified itself from being used, by dint of its impulse to hoard knowledge and the likelihood that its limping business model would cause it to imminently implode. Read the rest

A user called FBSaler is offering personal data for Facebook users at $0.10 each, claiming to have account data from 120,000,000 users to offer; to prove that they have the goods, they've dumped the private messages sent by 81,000 Facebook users; and account data from 176,000. Read the rest

Cathay Pacific started investigating a potential breach in March; by May they'd learned of breaches to a system with 9.4 million travelers' data on it, then for some reason they didn't tell anyone about it, until now: "The following personal data was accessed: passenger name; nationality; date of birth; phone number; email; address; passport number; identity card number; frequent flyer programme membership number; customer service remarks and historical travel information." They are sorry if you are upset: "We are very sorry for any concern this data security event may cause our passengers." Read the rest

Yesterday, at least 90,000,000 Facebook users were forced to log back into the service without any explanation; later, the company revealed that at least 50,000,000 of them had been hacked, but wouldn't say how. Read the rest

When news broke yesterday that Facebook had suffered a breach affecting at least 50,000,000 users, Facebook users (understandably) began to widely share links to articles about the breach. Read the rest

Firefox Monitor is a new service from Mozilla that draws on data from Have I Been Pwned? (previously) to keep you informed when your data is breached and shows up online. The service also includes important advice, including "Treat security questions like extra passwords" by creating "long, random answers." It's good advice: certainly, it's easier to put into practice than convincing your mother to travel back in time and change her "maiden name." Read the rest

When Vancouver tech retailer NCIX went bankrupt, it stopped paying its bills, including the bills for the storage where its servers were being kept; that led to the servers being auctioned off without being wiped first, containing sensitive data -- addresses, phone numbers, credit card numbers, passwords, etc -- for thousands of customers. Also on the servers: tax and payroll information for the company's employees. Read the rest

Jesse writes, "Vancouver tech retailer NCIX was driven into the ground last year (much to the morbid fascination of local techies). Now their fetid corpse is in the news again, after their SQL servers were sold for $1500 at auction without being wiped, containing the personal data – including credit card details – of thousands of customers." Read the rest