The IT Nerd

Twitter CEO Jack Dorsey’s account was pwned by hackers, and the hackers sent a series of incendiary tweets on Friday after his account was compromised. Dorsey’s account tweeted out “#nigger” and “Hitler is innocent,” among other inflammatory remarks. Another tweet read, “Intel is there’s a bomb at Twitter HQ.” If you want to read more about this, here’s a link. But that’s not what I am here to talk to you about. I am here to talk about how it was done. It was done via a technique called a “sim swap.”

The hackers got in through Twitter’s text-to-tweet service, operated by Cloudhopper. This service allows you to tweet by text via your cell phone. But that requires control of your cell phone. That’s where the “sim swap” comes in. The same hackers convinced Dorey’s carrier which apparently was AT&T to serve up control of his phone number and move it to a phone that they controlled to pull this off. This is not a new technique as taking control of Instagram handles and the theft of Bitcoin has been pulled off via this hack for example. But this type of hack is becoming increasingly common.

Twitter pretty much confirmed that this happened:

Every carrier everywhere on the planet is open to this type of pwnage. Thus you should take steps to protect yourself. Putting a PIN code on your account is one step to protecting yourself, My carrier which is Telus requires this when you sign up. But other carriers may or may not require this. Thus you should ask your carrier if they support PIN codes and enable that feature if they do. If a carrier doesn’t support PIN codes, it’s a carrier that you likely don’t want to be doing business with as you are wide open to being pwned because of your carrier’s lax security.

As for any apps that you want to ensure the security of, I would recommend this article from The Verge with steps to protect yourself. The fact is that you and you alone can protect yourself from ending up like Dorsey. Thus I would suggest that you read this article and take action immensely.

Adult website Luscious has apparently been pwned by hackers according to vpnMentor’s research team. And here’s what is floating in the wild as I type this:

The data breach gave our team access to 1.195 million user accounts on Luscious. All of these were compromised, revealing personal details of users with potentially devastating consequences. 

The private personal user details we viewed included:

• Usernames
• Personal email addresses
• User activity logs (date joined, most recent log in)
• Country of residence/location
• Gender

Some users’ email addresses indicated their full names, increasing their vulnerability to exploitation and cybercrime.

Now the researchers admit that they think that 20% of the emails are fake. But for the other 80%, this isn’t good. The possibilities of pwnage are endless. Thus if you’ve used this site, you might want to be extra vigilant.

News is breaking on sites like Bloomberg that a hacker has broken into a cloud server under the control of credit card company Capitol One and as many as 100 million people might have had their data illegally accesses.

Here’s where it gets strange. The hacker was caught:

The woman, Paige A. Thompson, was arrested Monday and appeared in federal court in Seattle. The data theft occurred some time between March 12 and July 17, federal prosecutors in Seattle said. The cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers.

“I am deeply sorry for what has happened,” said Richard D. Fairbank, Capital One’s chief executive officer, in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected.”

About 6 million individuals in Canada were also impacted by the breach, Capital One said.

And:

The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included personal identification data, including names, addresses, phone numbers and dates of birth, and financial data including self-reported income, credit scores and fragments of transaction history.

About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.

I for one would love to know who the cloud computing company is at they have some questions to answer in terms of how this woman got in and got access to this data. Here’s why that matters:

Capital One, which is based in McLean, Virginia, has been one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020 — a move the company says will help lower costs.

If you are going to outsource stuff to the cloud, your security has to be on point. Otherwise bad things will happen to you and worse things will happen to your customers. Thus along with the cloud computing company, I really want to know what Capitol One is going to do to protect customers data going forward, and what they are going to do to protect the 100 million customers who’s data is now out there.

Back to the woman behind this hack for a second. Usually the hackers get away scott free with this sort of thing. So she was either sloppy or wanted to get caught. I say that either is in play because according to this, she posted details about it on Slack which is either mind blowingly stupid, or a clear indication that she wanted to be caught.

Stay tuned to this case as it will be interesting to watch on multiple fronts.

Sometimes it’s not people from the outside that you have to worry about when it comes to protecting your data. Sometimes you have to worry about your own employees. A case in point is Desjardins who today admitted that this happened:

A Laval police investigation, which Desjardins has been closely involved with, has revealed that the personal information of 2.9 million members (2.7 million personal members and 173,000 business members) was disclosed to individuals outside Desjardins without authorization.

The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired.

The company says that it has not been the target of a cyberattack, and that it has not seen cases of fraud with the the people who have been affected by this Passwords for business and personal accounts have not been compromised. Nor have security questions and PINs have not been impacted. Those who have been impacted the breach are being offered a 12-month credit monitoring plan paid for by Desjardins and they are monitoring the affected accounts.

This should serve as a warning to all companies who handle personal data as it’s pretty clear that bad things can happen if a bad actor inside your company decides to go rogue. And you can expect there to be some serious fallout for Desjardins over this incident.

Another day, another data breach. This time The Register has news on a data breach that affects….. wait for it…. At least 617 million accounts:

Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove’s seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

It’s been confirmed that the data breach is real and affected sites are alerting their users and taking measures to try and protect their users. And the fact that the data is up for sale means that the effects will go on for months and years. Still, it’s not as big as the data breach that involved 2.2 billion accounts that came to light earlier this year. But it is still scary.

As for how you can protect yourself, you can visit Hunt’s Have I Been Pwned service to see if you are affected by this breach.