Cookies crumble for Yahoo and 32 million users in third breach

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Yahoo, which dis­closed two mas­sive data breach­es last year, said that about 32 mil­lion user accounts were accessed by intrud­ers in the past two years using forged cook­ies. The com­pa­ny said the lat­est intru­sions could be con­nect­ed to the “same state-spon­sored actor believed to be respon­si­ble for the 2014 breach,” in which at least 500 mil­lion accounts were affect­ed. Forged cook­ies allow an intrud­er to access a user’s account with­out a pass­word. Yahoo also said that it would not award CEO Maris­sa May­er a cash bonus for 2016, fol­low­ing find­ings relat­ed to the 2014 inci­dent. May­er also offered to for­go any 2017 annu­al equi­ty award, as the breach­es occurred dur­ing her tenure. Yahoo said senior exec­u­tives failed to “prop­er­ly com­pre­hend or inves­ti­gate” the 2014 secu­ri­ty breach that affect­ed more than 500 mil­lion accounts. Sources: Reuters, Mar­ket Watch

Cloudflare stanches wound, says leak issue resolved

Cloud­flare says it has fixed the Cloud­bleed soft­ware bug that caused ran­dom chunks of data to leak from cus­tomer web­sites, includ­ing Fit­bit and OkCu­pid. More than 80,000 cached pages have been delet­ed from var­i­ous search engines. Cloud­flare esti­mat­ed that the bug caus­ing data to leak was trig­gered 1,242,071 times from Sept. 22 through Feb. 18. Although Cloud­flare hasn’t found any pass­words in the leaks, some secu­ri­ty experts have rec­om­mend­ed that cus­tomers reset their pass­words, just in case. Sources: Tech News World, Tech Crunch

FCC vote deals blow to internet privacy

The Fed­er­al Com­mu­ni­ca­tions Com­mis­sion vot­ed 2–1 along par­ty lines to block a new inter­net pri­va­cy rule from tak­ing effect. The rule would have required inter­net ser­vice providers to take more strin­gent steps to pro­tect con­sumers’ per­son­al data. The pro­vi­sion was part of a larg­er set of broad­band pri­va­cy rules passed by the FCC in Octo­ber under the Oba­ma admin­is­tra­tion and set to go into effect this week. The mea­sure called for broad­band providers to take “rea­son­able” mea­sures to ensure the secu­ri­ty of cus­tomer data. Source: The Hill

Boeing hopes to bring flight of information into safe landing

Boe­ing launched an inter­nal inves­ti­ga­tion and noti­fied Wash­ing­ton state Attor­ney Gen­er­al Bob Fer­gu­son and offi­cials in Cal­i­for­nia, North Car­oli­na and Mass­a­chu­setts that employ­ee data left con­trol of the com­pa­ny when a work­er emailed a spread­sheet to his sig­nif­i­cant oth­er. The unnamed employ­ee sent the doc­u­ment to get his spouse’s help on for­mat­ting issues. The 36,000 employ­ees have been offered two years of free cred­it mon­i­tor­ing. Source: Puget Sound Busi­ness Journal

These pets might not be our best friends

Spi­ral Toys, the par­ent com­pa­ny behind Cloud­Pets, sent the Cal­i­for­nia Attor­ney Gen­er­al a breach noti­fi­ca­tion that con­tra­dicts what experts have said about a data­base breach that exposed user data and pri­vate voice mes­sages, many made by chil­dren. Data was copied and delet­ed from an exposed Mon­goDB instance found online, and a ran­som note left behind. Source: Threat Post

Patients losing their patience with health information theft

Nashville-based Van­der­bilt Uni­ver­si­ty Med­ical Cen­ter is noti­fy­ing 3,247 patients that their med­ical infor­ma­tion was accessed by unau­tho­rized indi­vid­u­als. From May 2015 to Decem­ber 2016, two patient trans­porters accessed infor­ma­tion from patients’ elec­tron­ic med­ical records, includ­ing names, birth­dates, med­ical record iden­ti­fi­ca­tion num­bers and some Social Secu­ri­ty num­bers. Patients will be offered cred­it-mon­i­tor­ing ser­vices. … WVU Med­i­cine Uni­ver­si­ty Health­care in West Vir­ginia is offer­ing one year of iden­ti­ty mon­i­tor­ing ser­vices to a total of 7,445 patients after an employ­ee at Berke­ley Med­ical Cen­ter with access to patient data was found to have infor­ma­tion such as driver’s licens­es, ID cards, insur­ance cards and Social Secu­ri­ty cards. Addi­tion­al track­ing lat­er found the employ­ee also viewed physi­cian orders that con­tained diag­noses. Sources: Becker’s Hos­pi­tal ReviewHealth Data Management

That robopocalypse might be closer than we think

New research expos­es vul­ner­a­bil­i­ties found in mul­ti­ple home, busi­ness and indus­tri­al robots, with many grad­ed as high or crit­i­cal risks, accord­ing to IOAc­tive. Attack­ers could in the­o­ry spy through the robot’s micro­phone and cam­era, leak data and, in extreme cas­es, cause seri­ous phys­i­cal harm or dam­age to peo­ple and prop­er­ty. Once vul­ner­a­bil­i­ty has been exploit­ed, a hack­er could poten­tial­ly gain con­trol of the robot for cyber espi­onage, turn a robot into an insid­er threat, use a robot to expose pri­vate infor­ma­tion, or cause a robot to per­form unwant­ed actions. Source: SC mag­a­zine

Putting more of a premium on privacy

Microsoft is high­light­ing new user-con­trol­lable pri­va­cy and upgrade set­tings that will be part of the Win­dows 10 Cre­ators Update. The soft­ware giant will test the new pri­va­cy-set­tings upgrade expe­ri­ence with its Win­dows Insid­er testers before rolling it out to the pub­lic in April. Source: ZDNet

Music festival plans hit a sour note

The two-week­end Coachel­la music fes­ti­val, which draws six-fig­ure crowds and gen­er­ates hun­dreds of mil­lions of dol­lars in spend­ing, has report­ed a web­site hack. Gold­en­voice, the com­pa­ny that oper­ates the web­site, said an attack­er gained access to a data­base con­tain­ing user infor­ma­tion, although no pay­ment details were stored in the data­base and users’ pass­words were not leaked. Source: Forbes

If Amazon sneezes, everyone catches a cold

A key Ama­zon ser­vice that helps pow­er the inter­net went down this week, bring­ing with it scores of web­sites and ser­vices. Ama­zon Web Ser­vices S3, a serv­er offer­ing from the online shop­ping giant, had “high error rates” in the East Coast region, harm­ing at least parts of many web­sites, accord­ing to Ama­zon. Some sites rely on S3 for crit­i­cal com­po­nents. Ama­zon said it resolved the issue. Source: The Boston Herald