Archive for Hacked

BREAKING: Ontario Science Center Has Had A Data Breach

Posted in Commentary with tags , , on October 28, 2019 by itnerd

Thanks to tip from a reader of this blog, it has come to my attention that the Ontario Science Center has apparently had a data breach according to this. What is weird about that statement is that it isn’t posted to the Ontario Science Center website. The reader in question got it in an email. Thus I suspect that the broader public doesn’t know as a quick browse of their website indicates that they haven’t posted anything in the public realm about this.

Anyway, here’s the key details:

On August 16, 2019, the Ontario Science Centre received notification from Campaigner that someone made a copy of the Science Centre’s subscriber emails and names without authorization. No other personal identification, financial information or passwords were accessed.

An investigation conducted by Campaigner revealed that the credentials of a former employee were used from July 23 to August 7 to access and download the information contained in the Science Centre’s client account. Upon learning of the breach, Campaigner immediately discontinued use of the credentials and implemented further measures to prevent a similar issue happening in the future. Campaigner also notified law enforcement and are assisting the authorities in finding the perpetrator.

So what that says right off the top is that the Ontario Science Center would have had no clue about this had Campaigner not pointed it out. That’s not how things should work kids. In any case, the statement has all the usual things that companies say when they’ve been pwned in some way. Including the fact that the  Information and Privacy Commissioner of Ontario has been contacted.

Yes, I am becoming a bit jaded because this sort of thing happens way too often.

It will be interesting to see if the Ontario Science Center will make a public disclosure beyond what they have already done. I’m keeping an eye out to see what happens next.

UPDATE: CBC News is now reporting on this. I don’t see any other media reports thus far.


Chrome & WebKit Flaws Allowed Malvertiser To Display Sketchy Ads

Posted in Commentary with tags on October 2, 2019 by itnerd

It seems that a malvertiser known as eGobbler has been exploiting multiple browser security flaws to display invasive pop-up ads and to redirect users to malicious websites. This comes from security researchers at Confiant who said that in April they noticed eGobbler exploiting a bug in Chrome for iOS, which enabled them to bypass the built-in pop-up blocker in the OS to overwhelm users with ads. The exploit also enabled them to redirect users to malicious sites. Confiant researchers notified the Chromium team about the bug (CVE-2019-5840), which eventually got patched in June with the release of Chrome 75.

Then in August they saw the same thing as the same actor started exploiting flaws in WebKit, the browser engine working at the core of older Chrome versions and Apple’s Safari and Blink, the Webkit fork used in recent versions of Chrome. Both Apple and Google were alerted to this. And Apple released a patch for WebKit in three days and closed the bug in both iOS 13 and Safari 13.0.1 in September. But Google has yet to close the hole which means Chrome users may be still vulnerable.

According to researchers, malvertising campaigns by eGobbler typically last for a few days. In that period, eGobbler buys advertisements on genuine services but embeds malicious code in its adverts to perform unauthorized activity on users’ browsers. These activities normally include displaying disrupting popup ads or redirecting users to malicious sites running scams or hosting malware. Thus making what they do very dangerous.

So how do you protect yourself? If you’re on Mac and you use Safari, you need to make sure that you are running Safari 13.0.1. If you’re using Chrome, you may want to consider switching browsers until this is addressed by Google.

Twitter’s CEO’s Twitter Account Pwned…. Here’s Why YOU Should Care

Posted in Commentary with tags on September 1, 2019 by itnerd

Twitter CEO Jack Dorsey’s account was pwned by hackers, and the hackers sent a series of incendiary tweets on Friday after his account was compromised. Dorsey’s account tweeted out “#nigger” and “Hitler is innocent,” among other inflammatory remarks. Another tweet read, “Intel is there’s a bomb at Twitter HQ.” If you want to read more about this, here’s a link. But that’s not what I am here to talk to you about. I am here to talk about how it was done. It was done via a technique called a “sim swap.”

The hackers got in through Twitter’s text-to-tweet service, operated by Cloudhopper. This service allows you to tweet by text via your cell phone. But that requires control of your cell phone. That’s where the “sim swap” comes in. The same hackers convinced Dorey’s carrier which apparently was AT&T to serve up control of his phone number and move it to a phone that they controlled to pull this off. This is not a new technique as taking control of Instagram handles and the theft of Bitcoin has been pulled off via this hack for example. But this type of hack is becoming increasingly common.

Twitter pretty much confirmed that this happened:

Every carrier everywhere on the planet is open to this type of pwnage. Thus you should take steps to protect yourself. Putting a PIN code on your account is one step to protecting yourself, My carrier which is Telus requires this when you sign up. But other carriers may or may not require this. Thus you should ask your carrier if they support PIN codes and enable that feature if they do. If a carrier doesn’t support PIN codes, it’s a carrier that you likely don’t want to be doing business with as you are wide open to being pwned because of your carrier’s lax security.

As for any apps that you want to ensure the security of, I would recommend this article from The Verge with steps to protect yourself. The fact is that you and you alone can protect yourself from ending up like Dorsey. Thus I would suggest that you read this article and take action immensely.

Luscious Pwned…. Almost 1.2 Million Users Affected

Posted in Commentary with tags on August 21, 2019 by itnerd

Adult website Luscious has apparently been pwned by hackers according to vpnMentor’s research team. And here’s what is floating in the wild as I type this:

The data breach gave our team access to 1.195 million user accounts on Luscious. All of these were compromised, revealing personal details of users with potentially devastating consequences. 

The private personal user details we viewed included:

  • Usernames
  • Personal email addresses
  • User activity logs (date joined, most recent log in)
  • Country of residence/location
  • Gender

Some users’ email addresses indicated their full names, increasing their vulnerability to exploitation and cybercrime.

Now the researchers admit that they think that 20% of the emails are fake. But for the other 80%, this isn’t good. The possibilities of pwnage are endless. Thus if you’ve used this site, you might want to be extra vigilant.

BREAKING: Capital One Pwned… 100 Million People Affected

Posted in Commentary with tags on July 29, 2019 by itnerd

News is breaking on sites like Bloomberg that a hacker has broken into a cloud server under the control of credit card company Capitol One and as many as 100 million people might have had their data illegally accesses.

Here’s where it gets strange. The hacker was caught:

The woman, Paige A. Thompson, was arrested Monday and appeared in federal court in Seattle. The data theft occurred some time between March 12 and July 17, federal prosecutors in Seattle said. The cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers.

“I am deeply sorry for what has happened,” said Richard D. Fairbank, Capital One’s chief executive officer, in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected.”

About 6 million individuals in Canada were also impacted by the breach, Capital One said.


The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included personal identification data, including names, addresses, phone numbers and dates of birth, and financial data including self-reported income, credit scores and fragments of transaction history.

About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.

I for one would love to know who the cloud computing company is at they have some questions to answer in terms of how this woman got in and got access to this data. Here’s why that matters:

Capital One, which is based in McLean, Virginia, has been one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020 — a move the company says will help lower costs.

If you are going to outsource stuff to the cloud, your security has to be on point. Otherwise bad things will happen to you and worse things will happen to your customers. Thus along with the cloud computing company, I really want to know what Capitol One is going to do to protect customers data going forward, and what they are going to do to protect the 100 million customers who’s data is now out there.

Back to the woman behind this hack for a second. Usually the hackers get away scott free with this sort of thing. So she was either sloppy or wanted to get caught. I say that either is in play because according to this, she posted details about it on Slack which is either mind blowingly stupid, or a clear indication that she wanted to be caught.

Stay tuned to this case as it will be interesting to watch on multiple fronts.

Desjardins Employee Leaks Customer Data…. Lots Of Customer Data

Posted in Commentary with tags on June 20, 2019 by itnerd

Sometimes it’s not people from the outside that you have to worry about when it comes to protecting your data. Sometimes you have to worry about your own employees. A case in point is Desjardins who today admitted that this happened:

A Laval police investigation, which Desjardins has been closely involved with, has revealed that the personal information of 2.9 million members (2.7 million personal members and 173,000 business members) was disclosed to individuals outside Desjardins without authorization.

The investigation quickly traced the leak to a single source: an ill-intentioned employee who acted illegally and betrayed the trust of their employer. That person was fired.

The company says that it has not been the target of a cyberattack, and that it has not seen cases of fraud with the the people who have been affected by this Passwords for business and personal accounts have not been compromised. Nor have security questions and PINs have not been impacted. Those who have been impacted the breach are being offered a 12-month credit monitoring plan paid for by Desjardins and they are monitoring the affected accounts.

This should serve as a warning to all companies who handle personal data as it’s pretty clear that bad things can happen if a bad actor inside your company decides to go rogue. And you can expect there to be some serious fallout for Desjardins over this incident.

Freedom Mobile Suffers Data Leak….Credit Cards, Email Addresses, And More Exposed

Posted in Commentary with tags , on May 7, 2019 by itnerd

If you are a Freedom Mobile customer, you might have a very good reason to be concerned about the security of your personal information. According to Tech Crunch, a server belonging to Canada’s fourth largest telco is leaking data:

Security researchers Noam Rotem and Ran Locar found an Elasticsearch server leaking five million logs containing customer data. The server wasn’t protected with a password, allowing anyone to access the data.

Rotem and Locar, who shared their findings exclusively with TechCrunch and published his report at vpnMentor, said it took the cell giant a week to secure the leaking database after first reaching out.

The database is believed to be part of a logging system used by the company to determine errors and glitches in the company’s systems. The database recorded any errors and the plaintext data associated with it, including customer data.

Data seen by TechCrunch reveals customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types, and Freedom Mobile account numbers.

The logs also answers to credit checks filed through Equifax, including details if an application was accepted or rejected — along with the reason why.

We also found full credit card numbers, expiry dates and verification numbers stored in plaintext.

None of the data was encrypted.

This is a #EpicFail on the part of Freedom Mobile. Partially because the server was leaking data, and partially because someone else had to tell Freedom Mobile about it which implies that the company wasn’t on the ball. Now 15000 customers were affected and the server was secured after the researchers told them about it. Though Freedom Mobile all but tossed a company called Apptium who managed the server under the bus for this. No matter. It’s being investigated by the Office of the Privacy Commissioner and I hope they dole out the right level of punishment as this sort of thing simply cannot go unpunished.