500M LinkedIn Profiles

Just after Facebook lost 500M user profiles to the public Internet, it’s LinkedIn’s turn a week later. Wherever data is collected, data is subject to breach or theft.

Like the Facebook incident earlier this week, the information — including user profile IDs, email addresses and other PII — was scraped from the social-media platform.

From the article

via threatpost.com

Just in time for Xmas, Facebook dropped a huge package of user data.

Mark Zuckerberg
Mark Zuckerberg

More than 260 million U.S. Facebook users’ IDs, phone numbers, and names were exposed to an online database that could potentially be used for spam and phishing campaigns. Comparitech reports that before the database was taken down, it was found on a hacker forum as a downloadable file.

Source: Facebook Faces Another Huge Data Leak Affecting 267 Million Users | Digital Trends

What We Can Learn from the Capital One Hack

Capital One

Earlier this week, it became public that Capital One was victim to a privacy leak, affecting more than 100 million of their customers. News revealed details about the source of the attack, that apparently an individual conducted and bragged about it publicly.

Now, a few days later and more facts known, the always excellent Krebs on Security blog offers some lessons learned from the incident. It has good statements from Netflix, CloudFlare, DisruptOS and AWS personnel, including citations about the involvement of IAM, EC2 and WAF. In particular, it points out mitigations that AWS recommends in response to Server Side Request Forgery (SSRF).

Interesting is the conclusion that Rich Mogull comes to, that the industry is facing a major gap in skills, related to this kind of cloud security. Basic skill and availability thereof has always been a major gap in the entire industry. Only with the arrival of cloud it becomes more sparse. Mostly, because corporations maintain both their existing data centers and new cloud infrastructure, leaving out on the opportunity to become more secure in the cloud.

Source: What We Can Learn from the Capital One Hack

Google stored G Suite passwords in plaintext

In today’s edition of privacy related topics, it is Google that apparently stored customer passwords in plaintext. Google didn’t disclose which (enterprise) customers have been affected, but was clear that improper access is out of question. With this recent incident, Google joins ranks of Facebook, Instagram, but also Twitter and LinkedIn.

Google says it discovered a bug that caused some of its enterprise G Suite customers to have their passwords stored in an unhashed form for about 14 years.

Source: Google stored some G Suite passwords in plaintext for 14 years

Instagram had private contact data scraped

Another week, another Facebook leak. This time an Instagram dataset with apparently scraped profile information was found online.

A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online. The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by […]

Source: Millions of Instagram influencers had their private contact data scraped and exposed | TechCrunch

Salesforce outage.

It appears Salesforce was shutting down its services May 17th 2019. Reason was a faulty configuration of scripting options, that allowed users to access to all their company’s Salesforce data. To prevent worse, Salesforce shut down.

Salesforce said the script only impacted customers of Salesforce Pardot – a business-to-business (B2B) marketing-focused CRM.

However, out of an abundance of caution, the company decided to take down all other Salesforce services, for both current and former Pardot customers.

Source: Faulty database script brings Salesforce to its knees | ZDNet

Phones Open to Attack through WhatsApp Flaw

Meanwhile, another flaw from the Facebook universe. While it appears it’s not immediately related to data leakage, it gives great potential to 3rd parties, though. On the upside, nobody will attribute it to Facebook this time.

It’s a good opportunity to point out and recommend the alternatives to Whatsapp, in particular Signal and Threema.

A WhatsApp vulnerability left Android and iOS devices open to attack from sophisticated surveillance software. The Facebook-owned company said it hasn’t yet been able to determine how many people were impacted, and told users to ensure they’re running the latest version of the app.

Source: WhatsApp Flaw Left Phones Open to Attack From Sophisticated Spyware | Digital Trends


Weil es gerade in allen Medien heiss diskutiert wird: ein paar kleine Tips, wie man den schlimmsten Problemen im Internet ein bisschen vorbeugen kann und potentiellen Schaden vorbeugend eingrenzen kann. Wikipedia zu den Vorfällen dazu.

PC und Telefon
Alle System-Updates Zeitnah installieren
Privatsphäre-Optionen auf allen Geräten nutzen
Berechtigungen von Apps auf Telefonen und Tablets stark beschränken (Kontakte, Kamera, Location, Mikrofon etc.)…

HTML-email ausmachen, externe Inhalte von e-mails nachladen ausmachen, Vorsicht bei email-Anhängen,
Möglichst einen anderen eMail-Account zur Kommunikation verwenden, als den, der zur (Account-)Registrierung verwendet wird, wegen Passwort-Wiederherstellung.

schwer zu ratende Passwörter verwenden & für jeden Dienst ein eigenes verwenden
Wo möglich, 2-Factor-Authentication verwenden.

Niemals Login-Daten preisgeben, auch nicht telefonisch
Facebook-Account löschen, ausserdem:
Niemals Login with Google/Facebook/Twitter etc. verwenden
Location-Übermittlung überall ausmachen
Telefonbuch-Sync für Social Media in keinem Moment erlauben
Höchstprivate Daten besser löschen (Chatverlauf, Bilder)

Festplatten-Verschlüsselung einschalten
Für Chat-Kommunikation nur verschlüsselte Messenger verwenden, z.B. Signal oder Threema
Für eMail: S/MIME oder GPG verschlüsseln…
Backups verschlüsseln

Bild von Nasir Khan, CC-BY-SA2.0