Category Archives: SOCIAL NETWORKING

171 million VK.com [Europe’s largest social network site] accounts stolen by hackers

It’s the latest of a string in historical hacks targeting large social networking sites.

vk-hero-screen-shot image www.intelagencies.com

A hacker has obtained 171 million user accounts associated with social networking giant, VK.com.

The stolen database contains full names, email addresses and plain-text passwords, and in many cases locations and phone numbers.

The St. Petersburg, Russia-headquartered social network — formerly known as VKontakte — is said to be the largest in Europe, with over 350 million users at the last count. The hack is thought to have been carried out in late-2012 or early 2013, but the hacker who is selling the data could not be more precise.

Given the timing, the entire store of VK’s data — which at the time had just under 190 million users — is likely to have been taken in the hack.

The hacker is now selling a smaller portion of the database — 100 million accounts, which is a little over 17 gigabytes in size — on a dark web marketplace for 1 bitcoin, or about $580 at the time of writing.

That same for-sale database was provided ZDNet for verification.

vk-com-screen-shot-2 image www.intelagencies.com

We examined the database that was provided by searching a selection of names in VK’s public search engine — many of which turned up valid results. We reached out to many of these via email (which were listed in the breach) for confirmation, but didn’t immediately hear back — we will update the story if that changes. A handful of queries returned nothing, indicating a user was no longer a member or had deactivated their account.

LeakedSource.com, a search engine that records breaches and allows users to search their details, also obtained a portion of the database — albeit a smaller data set of about 100 million records.

Given the social network’s predominance in Russia, the most common password was “123456,” in line with other breaches. LeakedSource.com also found that the most common email address came from mail.ru, which may not be a coincidence, since VK.com was bought by the Mail.ru group in 2014. That led to the ousting of the company’s founder, Pavel Durov, who later fled Russia amid a shake-up of the country’s media laws. Durov later founded encrypted chat app Telegram.

For its part, VK.com said in an email on Monday that it “hasn’t been hacked.”

“We are talking about old logins / passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily,” said a spokesperson. “Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”

An email to Durov on Sunday went unreturned.

Correction: an earlier version of this story had a headline which suggested that 171 million user accounts are up for sale, when in fact a smaller 100 million database was put up for sale. We regret the error.

BBB

Henry Sapiecha

 

MySpace hackers place another 427 million passwords up for sale

Password theft should make victims change credentials they have re-used for other sites.

security-lock-abstract-thumb image www.intelagencies.com

In another haunting hack from the past, Time Inc. has confirmed the theft of 427 million passwords from MySpace, the aging social networking site the media company acquired just three months ago.

The records were offered for sale on the dark web by the same hacker who posted for sale a trove of 117 million stolen LinkedIn passwords nearly two weeks ago. The posted price for MySpace credentials is 6 bit coins or about $3,200 at today’s rate.

The MySpace incident is tied to a June 11, 2013 hack, according to LeakedSource, while the LinkedIn episode dated back to 2012. LeakedSource is the same web site that confirmed the LinkedIn theft.

The important similarity of these dated incidents lies in the fact that hackers could use these recently posted stolen passwords to break into current accounts of victims who re-use passwords across many sites, including banking and health services.

The recent 2016 Verizon Data Breach Investigation Report showed that 63% of confirmed data breaches involved weak, default or stolen passwords.

Social media users made light of the aging passwords, including Paul Hosford, a reporter with the Irish media site thejournal, “If MySpace hackers have managed to get hold of my password, can they tell me what it is?”

But even past its prime, MySpace reports today 50 million visitors per month. On its blog, MySpace said the stolen passwords have been inactivated on its site, and it encouraged users to set new passwords on accounts where they used the same or similar password from their MySpace account.

LeakedSource reported that the MySpace passwords were stored in SHA1 with no salting, a process that makes decrypting passwords exponentially harder. MySpace confirmed the stolen data included user login data “from a portion of accounts that were created prior to June 11, 2013.”

Time Inc., which own titles such as Fortune and Sports Illustrated, acquired MySpace when it bought parent company Viant Technology in February. Terms of the deal were not disclosed, but at the time Time Inc. chairman and CEO Joe Ripp, said, “This acquisition is game changing for us.” Today, the change seems to be dealing with a major hack of private account data.

Since its heyday early in this century as the world’s largest social media site, MySpace was acquired in 2005 by News Corp. for $580 million and again in 2011 for $35 million by Justin Timberlake and Specific Media Group.

www.socialselect.net

7745

www.scamsfakes.com

Henry Sapiecha

Twitter warns users about potential ‘state-sponsored’ hacks

twitter blue logo image www.intelagencies.com

Attackers may have been looking for “email addresses, IP addresses, and/or phone numbers”, Twitter says. Photo: Bloomberg

Twitter has issued an alert to some users warning them that state-sponsored hackers may have tried to obtain sensitive data from their accounts, the company said, the first such warning by the microblogging site.

The notice said there was no indication the hackers obtained sensitive information from what it said were a “small group of accounts” targeted.

It did not provide additional information about the attack or possible suspects in its investigation.

Twitter’s notice is the latest amid concern about cyber attacks by state-sponsored organisations. Government agencies, businesses and media have all been hacked.

One organisation that said it received the notice, a Canadian nonprofit called Coldhak, said the warning from Twitter came on Friday. The notice said the attackers may have been trying to obtain information such as “email addresses, IP addresses, and/or phone numbers”.

Coldhak’s Twitter account, @coldhakca, retweeted reports from a number of other users who said they received the notice. Coldhak and the other users did not indicate why they may have been singled out.

Colin Childs, one of the founding directors of Coldhak, told Reuters his organisation has seen “no noticeable impact of this attack”.

Google and Facebook have also started issuing warnings to users possibly targeted by state-sponsored attacks.

Reuters
ooo

Henry Sapiecha

State-sponsored attack? Facebook will now tell you ‘You’ve been hacked’

Just don’t expect Facebook to reveal how it knows when government hackers are coming after you.

facebook logo sign image www.socialselect.net

Facebook has started to notify users when it suspects they’ve been targeted by government-sponsored hackers, rather by than run-of-the-mill cybercriminals.

“Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state,” Facebook’s chief security officer Alex Stamos said in a Notes post on the weekend.

12107890101536110102468863935073197580215636n.png
A state-sponsored hacker alert. Image: Facebook

The notification users will see when Facebook detects that they are probably being targeted by a state-sponsored hacker advises them to turn on its two-factor authentication feature, Login Approvals, which requires the user give Facebook their phone number.

Facebook sends users a login code to the person’s phone the next time it detects an account has been accessed from a new device or browser.

“We decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts,” Stamos said.

Facebook won’t be revealing how it tells when a state-sponsored hacker is targeting a particular user, although there are numerous pieces of known malware that are suspected to have been created by government-backed hackers, such as the Stuxnet, thought to have been built by the US, Duqu, DarkSeoul, supposedly from North Korea, China’s ShadyRAT and Russia’s The Dukes malware.

“To protect the integrity of our methods and processes, we often won’t be able to explain how we attribute certain attacks to suspected attackers. That said, we plan to use this warning only in situations where the evidence strongly supports our conclusion,” Stamos said.

The new hacker alert notifications join Facebook’s other security efforts, such as its security check-up tool, and teaming up with several antivirus vendors to offer online malware scanning and clean-up tools.

Facebook earlier this year said it helped clean up two million infected PCs after using a “combination of signals” to find the infections. While helpful at cleaning up malware, some users have objected to being locked out of their accounts until they download anti-malware from Facebook’s partners.

ooo

Henry Sapiecha

 

Schrems: the law student who brought down a transatlantic data pact

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

From Vienna cafes to the European Union’s highest court, an Austrian law student’s two-year battle against Facebook and mass U.S. surveillance culminated on Tuesday in a landmark ruling that has rippled across the business world.

Max Schrems, a 28-year-old Facebook user finishing his Ph.D in law at Vienna University, took an interest in the subject of privacy while studying for a semester abroad at Santa Clara University in California.

The legal battle against mass U.S. surveillance that he subsequently pursued resulted in what lawyers called a “bombshell” ruling knocking down a data transfer framework between the European Union and the United States used by over 4,000 companies such as Google, Facebook and IBM.

 

“Max Schrems and Edward Snowden. What a combination. Two young men who have made indelible impacts on the world of data protection,” wrote Stewart Room, a partner at PwC.

Like many Vienna residents, Schrems has a cafe – the traditional Cafe Ritter in the Austrian capital’s fashionable Mariahilf shopping district – that is like a second home where he likes to spend much of his time and receive visitors.

In 2013, ex-National Security Agency (NSA) contractor Edward Snowden leaked details about the U.S. government’s Prism program that allowed it to harvest private information directly from big tech companies such as Facebook.

Facebook has repeatedly denied being a “back door” for U.S. spies.

Schrems took up the privacy battle and filed 22 complaints against Facebook in Ireland, where the company has its European headquarters. He set up a website, called europe-v-facebook.org, with the aim of ensuring that Europeans’ privacy rights are enforced against “tech giants like Facebook.”

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

Austrian data activist Max Schrems stands in the courthouse after his trial against Facebook in Vienna April 9, 2015. REUTERS/Leonhard Foeger

He then lodged a complaint with the Irish Data Protection Commissioner, asking it to stop Facebook’s transfers of European users’ data to its U.S. servers because of the risk of U.S. government snooping.

That complaint was thrown out as “frivolous and vexatious.”

But Schrems appealed. His case eventually wound its way to the Luxembourg-based European Court of Justice, which on Tuesday struck down the framework underpinning the data transfers of thousands of companies.

“Individuals now have far greater ability to exert a disruptive influence and shape law,” said Paula Barrett, partner at law firm Eversheds.

Snowden, without whom Schrems said Tuesday’s victory would have been impossible, congratulated the Austrian privacy activist via Twitter.

“Congratulations Max Schrems. You’ve changed the world for the better,” Snowden tweeted.

ooo

Henry Sapiecha

 

Facebook ‘tramples European privacy law’ says Belgian watchdog

A 3D plastic representation of the Facebook logo is seen in front of displayed cables in this illustration in Zenica

Belgium’s privacy watchdog accused Facebook (FB.O) on Friday of trampling on European privacy laws by tracking people online without their consent and dodging questions from national regulators.

The Privacy Protection Commission (CPVP/CBPL), which is working with German, Dutch, French and Spanish counterparts, launched the blistering attack after trying to find out more about the U.S. social media giant’s practices.

It urged Internet users to install privacy software to shield themselves from Facebook’s tracking systems, whether they have an account with the social network or not.

The show of strength from the Belgian regulator, which does not have the power to levy fines, highlights a growing willingness across the 28-member bloc to demand that big U.S. tech companies abide by European laws.

“Facebook tramples on European and Belgian privacy laws”, the Commission said after publishing a report analyzing changes that the company made to its privacy policies in January.

It said in a statement that Facebook had refused to recognize Belgian and other EU national jurisdictions, insisting it was subject only to the law in Ireland, the site of its European headquarters.

“Facebook has shown itself particularly miserly in giving precise answers,” the watchdog said, adding that the results of the study by a group of researchers were “disconcerting”.

A Facebook spokeswoman questioned the Belgians’ authority but said it would review the study’s recommendations with the Irish data protection commissioner: “We work hard to make sure people have control over what they share and with whom.”

“Facebook is already regulated in Europe and complies with European data protection law, so the applicability of the CBPL’s efforts is unclear,” she said.

Some EU states accuse Ireland of being soft on the multinational firms it wants to attract, whether in data protection or corporate taxation.

SECOND REPORT

The commission said it would publish a second report on Facebook this year. Sanctions available to privacy watchdogs can be negligible to big firms, but a new EU data protection law expected to be ready this year would allow for fines up to 5 percent of annual sales.

The commission said Facebook would not explain in detail how it uses data it collects. It highlighted problems with plug-ins such as Facebook’s “Like” button, which it said affected many who do not have a Facebook account.

A number of firms are under fire in Europe over the data they collect. Facebook places tracking “cookies” when anyone visits a Facebook page, meaning it can track the online activities of a huge number of non-customers, but has said this is a bug that it is working to fix.

The Commission asked Facebook to stop gathering user data via cookies and plug-ins, except where users asked for it.

European regulators have previously forced Google (GOOGL.O) to change its privacy policies.

And a year ago, EU judges upheld a Spanish order that Google must remove links to outdated information from searches for people’s names — establishing a “right to be forgotten”.

EU anti-trust regulators launched a case against Google last month and are probing Apple (AAPL.O) and Amazon (AMZN.O) over low-tax deals with Ireland and Luxembourg. The European Commission is studying whether to pursue German and French proposals for an EU-wide regulator for Internet platforms.

Some European politicians, also angered by revelations of U.S. espionage in Europe, say U.S. firms abuse their power, discouraging local start-ups and jeopardizing privacy laws cherished by Europeans with memories of authoritarian rule.

U.S. President Barack Obama, who is trying to negotiate a landmark transatlantic free trade deal with the EU, TTIP, says Europe is throwing up protectionist barriers to tech companies.

ooo

Henry Sapiecha