Archive for Hacked

BREAKING: Marriott Pwned…. 500 Million Guests Affected

Posted in Commentary with tags on November 30, 2018 by itnerd

The news is breaking that hotel chain Marriott has been pwned by hackers. Specifically what has been pwned is the Starwood reservation database which they got when the bought a bunch of hotels in India and Germany a couple of years ago. Now this is a hack that affects me personally as I’ve stayed in Marriott properties over the last two years which makes me one of the 500 million people who have been affected. What’s really scary about this is that hackers have had access since 2014 but the hotel chain only figured that out last week.

All together now: Whiskey Tango Foxtrot?

Here are more specifics:

For 327 million people, Marriott says the guests’ exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions others, their credit card numbers and card expiration dates were potentially compromised.

Marriott warns that it can’t confirm if the hackers were able to decrypt the credit card numbers.

A website has been set up and affected guests will be contacted. But this is really bad and those affected by this like yours truly should take action ASAP to protect themselves.

UPDATE: One of those affected by this hack was well known hacker Kevin Mitnick who said this:

He’s right. Companies need to seriously step up their game in order to stop stuff like this from happening. Marriott needs to slapped silly by the relevant authorities in order to send a message that this isn’t acceptable.


Canada Post Pwned…. 4500 Cannabis Customers Had Their Data Swiped

Posted in Commentary with tags , on November 8, 2018 by itnerd

Cannabis has been legal in Canada for the last few weeks. And if you live in Ontario, the only way to buy Cannabis legally is online via a government run store who will deliver your stash to you via Canada Post. Too bad Canada Post had to announce that they got pwned:

The postal service said in a statement that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.

And it seems that the Ontario Cannabis Store is accusing Canada Post of being slow to act:

In a statement on Wednesday, the Ontario Cannabis Store said it referred the matter to the province’s privacy commissioner. The statement also said the store had “encouraged” Canada Post to take immediate action to notify its customers.

“To date, Canada Post has not taken action in this regard,” the store said in its statement. “Although Canada Post is making its own determination as to whether notification of customers is required in this instance, the OCS has notified all relevant customers.

So if you bought some weed from the Ontario Cannabis Store, you might have someone reaching out to you.

Now my first thought upon reading this, beyond my usual reaction of “I hope that someone slaps the relevant parties silly for this data breach”, is that this is a huge problem. For example, one could be barred from traveling to the US or to other companies if it became known that you smoked the stuff. Thus there needs some serious questions answered by both Canada Post and the Ontario Cannabis Store.

British Airways Pwned….. 380,000 Credit Card Payments Compromised

Posted in Commentary with tags on September 7, 2018 by itnerd

This isn’t a good day to be British Airways as earlier today the airline said credit card information of at least 380,000 customers have been “compromised” in a data breach that occurred between August 21 and September 5. The information stolen includes customer names, email addresses, home addresses and payment card information. But not travel or passport details:

In an email to affected customers, BA said: “We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice. We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.” The breach has been “resolved” and the website is “working normally,” it said. In a statement, the airline added: “We have notified the police and relevant authorities… [and] will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis.”

Seeing as this is an European based airline, they had to notify the public quickly as they are covered by GDPR. But you have to wonder if British Airways will face any punishment for getting pwned by hackers? If not, this will simply keep happening. Nor will the airline have any incentive make sure that this doesn’t happen again, other than to close whatever holes led to this.

Air Canada App Pwned…..20,000 People Affected

Posted in Commentary with tags , on August 29, 2018 by itnerd

Apparently users of the Air Canada mobile app may have something to worry about as about 20,000 users of said app may have been affected by a data breach that happened between Aug. 22‑24, 2018. MobileSyrup received an email about this breach from Air Canada and CBC News is reporting the same thing. But there has been no comment directly from the company on this as of yet. As a precaution, users of the Air Canada app should change their passwords ASAP. Though according to CBC News, that might be a problem at present.

Hopefully the airline releases some sort of statement to shed further light on this incident.

UPDATE: Air Canada has now confirmed the data breach. The FAQ that I linked to is very much worth reading if you use the Air Canada app.

T-Mobile USA Pwned…. Info On Over 2 Million Customers Swiped

Posted in Commentary with tags on August 24, 2018 by itnerd

If you are a T-Mobile USA customer, then I have some really bad news for you. The company has disclosed that hackers have swiped the info of at least 2 million customers. Compromised information includes names, zip codes, phone numbers, email addresses, account numbers and account types. The company posted a message on its website, and is in the process of texting all affected customers. Apparently they were pwned on August 20 which means they disclosed this information somewhat quickly. So kudos to them on that front. But the fact that this happened at all continues to illustrate that companies need to do much more to protect the personal info of their customers.



Reddit Pwned….. Email Addresses And MAYBE Passwords Leaked

Posted in Commentary with tags on August 1, 2018 by itnerd

Earlier today Reddit  announced that it has suffered a data breach. If you read the document that I linked to, it will give you specifics as to what was hacked. But in short, a hacker gained access to a 2007 database backup that included old salted and hashed passwords. Meaning that they were not in a state that the passwords were readable. At least not without some work. Email digests sent by Reddit in June 2018 were also obtained.

The data breach occurred between June 14 and June 18, with hackers accessing Reddit employee accounts through the company’s cloud and source code hosting providers rather than the site itself. Those systems used SMS-based two-factor authentication that failed, and the main attack happened through SMS intercept.

Reddit is sending emails to users affected by the database hack, which means that if you signed up for Reddit before 2007 or during 2007, you should check your inbox. The site will be resetting the passwords of affected users. But if you use the site, you should really consider updating your password to something strong and unique as well as enabling two-factor authentication as that runs on a different mechanism than the one that was exploited in this hack.

Health Care Company CarePartners Pwned By Hackers…. And The Hackers Are Speaking Out

Posted in Commentary with tags on July 17, 2018 by itnerd

This is something that you don’t see everyday. CarePartners which is a health care company that provides home medical care services on behalf of the Ontario government have been pwned by hackers. According to the company, the hackers only got access to a small amount of data.

Now I do admit that companies get pwned by hackers all the time sadly. But what’s unusual about this situation is that the hackers are speaking out:

However, a group claiming responsibility for the breach recently contacted CBC News and provided a sample of the data it claims to have accessed, shedding new light on the extent of the breach.

The sample includes thousands of patient medical records with phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province.

Another document appears to contain more than 140 active patient credit card numbers and expiry dates, many with security codes.

The attackers claimed the sample was a subset of hundreds of thousands of patient records and related materials in their possession dating back to 2010.

“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” they told CBC News.

CarePartners did not answer questions about the ransom, and it is not clear if or when the data will be posted online.

For the record, CBC was able to verify that the data they got was on the level. Which isn’t good if you’re CarePartners. Then there’s the fact that the company says that they take protecting data seriously. But the hackers say something entirely different.

The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed.”

#Fail. Clearly CarePartners don’t take the security of data seriously based on that.

Now I get why CarePartners might want to minimize the extent of this. But it’s not a workable strategy long term because in Canada there’s strong privacy laws and this sort of thing does get investigated by Canada’s Privacy Commissioner. So the truth will come out eventually and CarePartners will get smacked pretty hard. Thus if I were them, I would just come clean now and work with everyone from the Privacy Commissioner to law enforcement and security firms to address this.