Mar 182019

Andy Greenberg reports:

Steve Hardigree hadn’t   even gotten to the office yet, and his day was already a waking nightmare.

As he Googled his company’s name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he’d founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States. A friend in an office adjacent to the one he rented as the company’s headquarters in Palm Coast, Florida had warned him that TV news reporters were already camped outside the building with cameras. Ambulance-chasing security firms were scrambling to pitch him solutions. Law firms had rushed to assemble a class action lawsuit against his company. All because of one unsecured server. “As you can imagine,” Hardigree says, “I went into panic mode.”

Read more on Wired.

Mar 172019

Catalin Cimpanu reports:

A hacker who has previously put up for sale over 840 million user records in the past month, has returned with a fourth round of hacked data that he’s selling on a dark web marketplace.

This time, the hacker has put up for sale the data of six companies, totaling 26.42 million user records, for which he’s asking 1.2431 bitcoin ($4,940).

The hacker’s name is Gnosticplayers, and since February 11 the hacker has put up for sale data for 32 companies in three rounds [stories on Round 1, Round 2, and Round 3] on Dream Market, a dark web marketplace.

Read more on ZDNet.

Mar 172019

Anshel Pfeffer reports:

From the moment Channel 12 political analyst Amit Segal broke the story Thursday night that the Shin Bet security service had recently informed Kahol Lavan leader and election front-runner Benny Gantz that his personal smartphone had been hacked, it was clear this could be a moment that will define this election campaign.

Read about it on Haaretz.

Mar 172019

James Sander joins those taking GearBest out to the cyberwoodshed over a data leak:

Over 1.5 million customer records from online electronics seller GearBest, as well as Zaful, Rosegal, and DressLily, were stored in an unprotected Elasticsearch server, according to a joint report from VPNMentor (archived here) and security researcher Noam Rotem. The brands involved are owned by Shenzhen Globalegrow E-commerce Co., Ltd, a controversial seller of Chinese-made products.


A statement from GearBest claims, in part:

Immediately upon being aware of this incident, our security experts have initiated an investigation to verify the allegations made by Mr. Noem Rotem. While we found that all our own established databases or servers used for storing or processing Date are protected with all necessary encryption measures end are absolutely safe, some of the external tools we use to temporarily store Data may have been accessed by others and therefore Data security may have been compromised.

On March 1st, 2019… firewalls were mistakenly taken down by one of our security team members for reasons still being under investigation. Such unprotected status has directly exposed those tools for scanning and accessing without further authentication. Currently, we believe this may have affected our newly registered customers as well as our old customers who placed orders with Gearbest during the time from March 1st, 2019 to March 15th, 2019, in a total number of about 280,000.

In a series of tweets, Rotem claims (translated) that the explanation is “Quite delusional, but more common than you’d like to think,” adding “Do you see the date when they claim that the violation has begun? It’s… not accurate. Not even close. And number of customers exposed? Again, far from reality. At this point, it’s getting a little too much to try and fix them.”

Read more on TechRepublic.

Mar 172019

Catalin Cimpanu reports:

A Dutch hacker who launched DDoS attacks against high-profile sites like the BBC and Yahoo News, and also attempted to extort many other companies, received no jail time for his actions.

Speaking in a court in the Hague, the Netherlands earlier this month, a 20-year-old man showed remorse in court, admitted to his crimes, which he committed as a minor, and apologized for his actions.

Read more on ZDNet.