Cookies crumble for Yahoo and 32 million users in third breach

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Yahoo, which disclosed two massive data breaches last year, said that about 32 million user accounts were accessed by intruders in the past two years using forged cookies. The company said the latest intrusions could be connected to the “same state-sponsored actor believed to be responsible for the 2014 breach,” in which at least 500 million accounts were affected. Forged cookies allow an intruder to access a user’s account without a password. Yahoo also said that it would not award CEO Marissa Mayer a cash bonus for 2016, following findings related to the 2014 incident. Mayer also offered to forgo any 2017 annual equity award, as the breaches occurred during her tenure. Yahoo said senior executives failed to “properly comprehend or investigate” the 2014 security breach that affected more than 500 million accounts. Sources: Reuters, Market Watch

Cloudflare stanches wound, says leak issue resolved

Cloudflare says it has fixed the Cloudbleed software bug that caused random chunks of data to leak from customer websites, including Fitbit and OkCupid. More than 80,000 cached pages have been deleted from various search engines. Cloudflare estimated that the bug causing data to leak was triggered 1,242,071 times from Sept. 22 through Feb. 18. Although Cloudflare hasn’t found any passwords in the leaks, some security experts have recommended that customers reset their passwords, just in case. Sources: Tech News World, Tech Crunch

FCC vote deals blow to internet privacy

The Federal Communications Commission voted 2-1 along party lines to block a new internet privacy rule from taking effect. The rule would have required internet service providers to take more stringent steps to protect consumers’ personal data. The provision was part of a larger set of broadband privacy rules passed by the FCC in October under the Obama administration and set to go into effect this week. The measure called for broadband providers to take “reasonable” measures to ensure the security of customer data. Source: The Hill

Boeing hopes to bring flight of information into safe landing

Boeing launched an internal investigation and notified Washington state Attorney General Bob Ferguson and officials in California, North Carolina and Massachusetts that employee data left control of the company when a worker emailed a spreadsheet to his significant other. The unnamed employee sent the document to get his spouse’s help on formatting issues. The 36,000 employees have been offered two years of free credit monitoring. Source: Puget Sound Business Journal

These pets might not be our best friends

Spiral Toys, the parent company behind CloudPets, sent the California Attorney General a breach notification that contradicts what experts have said about a database breach that exposed user data and private voice messages, many made by children. Data was copied and deleted from an exposed MongoDB instance found online, and a ransom note left behind. Source: Threat Post

Patients losing their patience with health information theft

Nashville-based Vanderbilt University Medical Center is notifying 3,247 patients that their medical information was accessed by unauthorized individuals. From May 2015 to December 2016, two patient transporters accessed information from patients’ electronic medical records, including names, birthdates, medical record identification numbers and some Social Security numbers. Patients will be offered credit-monitoring services. … WVU Medicine University Healthcare in West Virginia is offering one year of identity monitoring services to a total of 7,445 patients after an employee at Berkeley Medical Center with access to patient data was found to have information such as driver’s licenses, ID cards, insurance cards and Social Security cards. Additional tracking later found the employee also viewed physician orders that contained diagnoses. Sources: Becker’s Hospital ReviewHealth Data Management

That robopocalypse might be closer than we think

New research exposes vulnerabilities found in multiple home, business and industrial robots, with many graded as high or critical risks, according to IOActive. Attackers could in theory spy through the robot’s microphone and camera, leak data and, in extreme cases, cause serious physical harm or damage to people and property. Once vulnerability has been exploited, a hacker could potentially gain control of the robot for cyber espionage, turn a robot into an insider threat, use a robot to expose private information, or cause a robot to perform unwanted actions. Source: SC magazine

Putting more of a premium on privacy

Microsoft is highlighting new user-controllable privacy and upgrade settings that will be part of the Windows 10 Creators Update. The software giant will test the new privacy-settings upgrade experience with its Windows Insider testers before rolling it out to the public in April. Source: ZDNet

Music festival plans hit a sour note

The two-weekend Coachella music festival, which draws six-figure crowds and generates hundreds of millions of dollars in spending, has reported a website hack. Goldenvoice, the company that operates the website, said an attacker gained access to a database containing user information, although no payment details were stored in the database and users’ passwords were not leaked. Source: Forbes

If Amazon sneezes, everyone catches a cold

A key Amazon service that helps power the internet went down this week, bringing with it scores of websites and services. Amazon Web Services S3, a server offering from the online shopping giant, had “high error rates” in the East Coast region, harming at least parts of many websites, according to Amazon. Some sites rely on S3 for critical components. Amazon said it resolved the issue. Source: The Boston Herald