Tag Archives: Personal

Keyboard data leak exposes millions of personal records

A misconfigured MongoDB database and overreaching app permissions led to millions of personal records being leaked by a virtual keyboard developer.

Kromtech Security Center discovered the keyboard data leak by mobile developer Ai.type, based in Tel Aviv, which makes a mobile alternative keyboard app for Android and iOS. According to Kromtech, Ai.type used the default settings on its MongoDB database, meaning all 577 GB of data made up of 373 million records was publicly exposed.

The Ai.type keyboard data leak may have been caused by misconfigured MongoDB database settings, but researchers also noted the extensive permissions the keyboard asked of users. According to ZDNet, which first reported Kromtech’s findings, the exposed data was properly secured after repeated attempts by the news outlet to contact Ai.type about the exposure.

The Ai.type keyboard asked users for “Full Access” to device data, which allowed the app to gather sensitive personal information as well as identifiable data on the mobile hardware being used.

The keyboard data leak included information gathered from more than 31 million users who had installed the Ai.type keyboard. This information included sensitive data such as names, phone numbers, mobile hardware identification info, email addresses and country of residence. Additionally, more than 6 million records gathered from user contacts were exposed.

“Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online,” Bob Diachenko, chief communication officer at Kromtech, wrote in a blog post. “This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user. It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.”

Uber breach affected 57 million users, covered up for a year

Malicious actors stole personal data on hundreds of thousands of Uber drivers and millions of Uber users and the company allegedly covered up the breach for one year, including reportedly paying the attackers to keep quiet.

According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing “a third-party cloud-based service” — reportedly GitHub and Amazon Web Services (AWS) — in late 2016 and downloading files containing names and driver’s license information on 600,000 U.S. Uber drivers and personal information — names, email addresses and phone numbers — for 57 million Uber customers from around the world. According to Bloomberg, which was first to report the Uber breach, the incident was covered up by two members of the company’s infosec team.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi wrote in a blog post. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Khosrowshahi said the “failure to notify affected individuals or regulators last year” prompted a number of actions, including firing the two individuals responsible for the Uber breach response — Joe Sullivan, former federal prosecutor and now ex-CSO at Uber, and Craig Clark, one of Sullivan’s deputies — notifying and offering ID and credit monitoring to the affected drivers, notifying regulators and monitoring the affected customer accounts.

Details of the Uber data breach

According to Bloomberg, the attackers accessed a private GitHub repository used by Uber in October 2016 and used stolen credentials from GitHub to access an archive of information stored on an AWS account.

Terry Ray, CTO of Imperva, said the use of GitHub “appears to be a prime example of good intentions gone bad.”

“Using an online collaboration and coding platform isn’t necessarily wrong, and it isn’t clear if getting your accounts hacked on these platforms is even uncommon. The problem begins with why live production data was used in an online platform where credentials were available in GitHub,” Ray told SearchSecurity. “Sadly, it’s all too common that developers are allowed to copy live production data for use in development, testing and QA. This data is almost never monitored or secured, and as we can see here, it is often stored in various locations and is often easily accessed by nefarious actors.”

Sullivan reportedly took the lead in the Uber breach response and, along with Clark, worked to keep the incident under wraps, including paying the attackers $100,000 to delete the stolen personal data keep quiet.

Khosrowshahi mentioned communication with the attackers in his blog post, but did not admit to any payment being made.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed,” Khosrowshahi wrote. “We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

Jeremiah Grossman, chief of security strategy at SentinelOne, said it can be “difficult, if not impossible, for an organization to lock down” a vector like GitHub.

“Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed,” Grossman told SearchSecurity. “While traditional security controls remain crucial to organizational security, it’s no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others.”

Willy Leichter, vice president of marketing at Virsec Systems, Inc., said if the details of this Uber breach cover up are verified, it could been extremely damaging for the company. 

“This is a staggering breach of customer trust, ethical behavior, common sense and legal requirements for breach notification. Paying hackers to conceal their crimes is as short-sighted as it is stupid,” Leichter told SearchSecurity. “If this had happened after the EU GDPR kicks in, Uber would cease to exist. That may be the outcome anyway.”

Uber breach ramifications

The 2016 breach is the latest in a long line of issues for Uber. At the time of the incident, Uber was already under investigation for separate privacy violations. The company is also battling various lawsuits from cities and users.

Jim Kennedy, vice president North America at Certes Networks, said Uber’s already questionable reputation should take a big hit.

“Most likely the Uber C-suite, seeing the repercussions of cyber-attacks on similar household names, were keen to avoid the reputational damage — a massive error of judgement,” Kennedy told SearchSecurity. “The reality is that customer distrust of the brand will be amplified by the company’s attempts to hide the facts from them and points to the need for change in the industry.”

Adam Levin, cyber security expert and co-founder and chairman for CyberScout, said the Uber breach is another example of the company “placing stock value over and above privacy at the expense of drivers and consumers.”

Customer distrust of the brand will be amplified by the company’s attempts to hide the facts from them and points to the need for change in the industry.
Jim Kennedyvice president North America at Certes Networks

“Uber did a hit and run on our privacy and created a completely avoidable extinction or near-extinction event, and further damaged and already tarnished brand,” Levin told SearchSecurity. “As ever, the goal for a company faced with a breach or compromise should be urgency, transparency and above all else, empathy for those affected.”

Ken Spinner, vice president of field engineering at Varonis, said the Uber data breach will likely “fire up already angry consumers, who are going to demand action and protection.”

“Every state attorney general is going to be salivating at the prospect of suing Uber. While there’s no overarching federal regulations in place in the U.S., there’s a patchwork of state regulations that dictate when disclosures must be made — often it’s when a set number of users have been affected,” Spinner told SearchSecurity. “No doubt Uber has surpassed this threshold and violated many of them by not disclosing the breach for over a year. This is the latest example of how hiding a breach rarely benefits a company and almost surely will backfire.”

Premium Outlook.com features now available to Office 365 subscribers

Today, we began rolling out new benefits for Office 365 Home and Office 365 Personal subscribers who use Outlook.com. These premium email features include an ad-free inbox, enhanced protection against malware and phishing, larger mailbox sizes, and premium customer support. In the coming months, we’ll be introducing additional premium Outlook.com features to make personal email and calendar experiences for Office 365 subscribers more powerful, productive, and secure.

An ad-free experience

The Outlook.com interface is now free of ads for Office 365 Home and Office 365 Personal subscribers. This includes banner ads as well as advertisements in the message list—commonly referred to as native ads. Without ads, you’ll have less distractions and faster page load times, so you can be more focused and have a better email experience.

Sophisticated protection against email threats

Email is one of the most popular ways that criminals trick people into giving away their passwords or downloading viruses and ransomware. That’s why all Outlook.com accounts already feature robust spam and virus filtering and support from a global security team that works tirelessly to stop these threats.

For Office 365 Home and Office 365 Personal subscribers, we now offer additional security against the most sophisticated types of threats in two ways:

  • Scanning attachments—Sophisticated techniques detect new types of malware previously not seen, giving you protection against today’s most advanced threats.
  • Checking links—When you click a link in an email, it is checked in real-time to determine if the destination website is likely to download viruses or malware onto your computer. If the site is found to be malicious, a warning screen alerts you not to access the site.

More mailbox storage

In our new Office 365based infrastructure, a free Outlook.com account now receives 15 GB of email storage space. Office 365 Home and Office 365 Personal subscribers enjoy even larger amounts of storage: 50 GB of space in total. Today, we’re also boosting storage limits to 50 GB for all our loyal Outlook.com users whose mailbox size is 12 GB or larger.

Premium support

If you need help on an Outlook.com account issue, you’ll receive free technical support as an Office 365 subscriber. Whether you call us on the phone or reach out via in-app support, you get our highest levels of care and support.

How to get started

Getting started and using these premium features in Outlook.com is easy.

  • It’s automatic—We activate the premium Outlook.com benefits based on the email address you used to sign up for your Office 365 subscription. Addresses ending in @outlook.com, @hotmail.com, @live.com, and @msn.com all qualify. Please note that if you use the Connected Accounts feature to access a @gmail.com, @yahoo.com, or other third-party account from Outlook.com—the advanced email security features do not apply to these accounts.
  • You can share the benefits—If you have an Office 365 Home subscription and share your Office 365 benefits with others, they will get these benefits for their Outlook.com mailboxes—including the advanced security, ad-free experience, and 50 GB of email storage.
  • The rollout is underway—We’ve already begun rolling these capabilities out to Office 365 Home and Office 365 Personal subscribers worldwide. The process of updating all accounts will take about one month. So if you don’t see them right away, don’t worry—they are on the way.

To learn more about the features and see a list of frequently asked questions, please check out the Premium Outlook.com features for Office 365 subscribers help topic.

We hope you enjoy these new benefits, and we look forward to bringing even more premium value to Office 365 Home and Office 365 Personal subscribers in the months ahead!

—The Outlook.com team

The new Skype for desktop is here

In today’s hectic world, maintaining our personal connections is more important than ever. We need to get more done, whether it’s planning daily menus, scheduling appointments, coordinating family schedules, or having a virtual tutoring session. We’ve been listening to your feedback and making improvements, and today we’re rolling out a new version of Skype for desktop to make staying in touch easier—both professionally and personally.

The Skype for desktop Preview and the next generation of Skype for mobile improved the way you connect with your contacts and added expanded capabilities such as personalized themes, chat list, and @mentions to the Skype experience. The Skype desktop app—now out of preview and rolling out today—brings all these exciting new improvements and features to your desktop. It’s all built on brand-new technology that scales to billions of people on a reliable platform.

Your everyday place for personal connections

You’re on your phone a lot—but you’re probably on the “big screen” quite a bit, too. Starting today, you can use the same Skype across all your devices. The new desktop version of Skype lets you connect naturally, with tools and features that can transform everyday conversations, including:

  • Customizable themes—Choose a color and theme that reflects your mood, personality, or time of day.
  • Chat list—Organize your contact list by time, unread, or status. Pin people or groups to have them always close at hand. To see more on your screen, change your view from standard to compact, or collapse the chat list to focus more on your content.
  • Cloud-based—Now that Skype is cloud-based, sharing files, photos, and videos is easier. Send up to 300 MB over Skype by simply dragging and dropping the file. Skype uses less battery power now that it’s in the cloud.
  • Cross-device functionality—Skype works across multiple devices: mobile, desktop, Xbox, smart speakers, and more. Your messages and content are available anywhere you have Skype installed, helping you keep in touch with people around the world.

Be more productive

With the new Skype, you can get more done on your PC. We know that changing devices interrupts your flow—no one wants to switch from their computer to their phone just to have a better conversation experience. Now you can send and receive Skype messages in real-time, answer calls directly from your PC, and share your screen to present your latest ideas to colleagues.

We’ve also introduced new ways for you to be more productive, including:

  • Notification panel—Grab a cup of coffee and catch up on what you’ve missed by clicking the bell icon to access your notification panel. From this central place, you’ll see reactions to your messages, @mentions in group conversations, or if someone quoted you. Jump to the conversation by clicking the message in the notification panel.
  • Chat media gallery—Looking for that link your bestie sent a few weeks ago? Quickly find shared content in the chat gallery. Just click Gallery to see media, links, and files—you can even sort by type.
  • Add-ins (available now to Skype Insiders)—It’s now easier than ever to complete everyday tasks in Skype. From sending a Giphy, scheduling an event, or sending money to pulling up the latest in the news—our add-ins help you get more done within Skype.

Keep in touch with lots of people, effortlessly

When you want to talk to all your siblings at once with free group video calling, or start a discussion with the school’s PTA committee, Skype for desktop has you covered with reactions, @mentions, status updates, and bots to help you express yourself and stay in touch:

  • Reactions—Easily express how you’re feeling by reacting to messages in conversations or during video calls. Simply click the reaction icon so everyone knows how you’re feeling.
  • @mentions—If you’d like to get someone’s attention in a group chat, type the @ symbol followed by their name to send them a notification so that they can easily respond to the message.
  • Status updates are back—Let your colleagues, friends, and family know when you are and aren’t available to chat by changing your presence, or set a mood message to share what’s going on.
  • Bots—Scoop, Hipmunk, and many more bots help you make plans and stay informed. Pull ticket pricing and seating options directly into a one-to-one or group chat with the StubHub bot. Planning a weekend getaway with old friends? Chat with the Expedia bot to check flight times and pricing.

Download and get started

It’s easy to start using the powerful new Skype for desktop app. If you’re using Skype for Mac, Windows 10 November Update (2016) and lower, Windows 8, Windows 7, or Linux and have automatic updates enabled, the update will be delivered to you when it’s ready. If you would like to get the update manually, you can download and install the new version at Skype.com. Windows 10 users will receive an update shortly to add the new features.

For Sale – Custom PC for sale – Now splitting

I am selling my personal PC, built over the years with over 12 years experience, so you can buy with confidence. I have got all the original boxes.
The AIO, Case and PSU is less than one year old.

I am selling due to moving to a laptop
Specification is,

i5 4670K – £110
Corsair H115I AIO – £90
G1.Sniper M5 Intel Z87 – £75
16GB Kingston RAM – £55
840 250GB SSD – £45
Fractal Design Define R5 – £70
Corsair HXi 750W – £100

I can also deliver/meet half way if you would like, although I work during the week time is very limited.

Regards
Dan

Price and currency: 0
Delivery: Yes available
Payment method: BT
Location: Derby
Advertised elsewhere?: No
Prefer goods collected?: Not fussed

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Custom PC for sale – Now splitting

I am selling my personal PC, built over the years with over 12 years experience, so you can buy with confidence. I have got all the original boxes.
The AIO, Case and PSU is less than one year old.

I am selling due to moving to a laptop
Specification is,

i5 4670K – £110
Corsair H115I AIO – £90
G1.Sniper M5 Intel Z87 – £75
16GB Kingston RAM – £55
840 250GB SSD – £45
Fractal Design Define R5 – £70
Corsair HXi 750W – £100

I can also deliver/meet half way if you would like, although I work during the week time is very limited.

Regards
Dan

Price and currency: 0
Delivery: Yes available
Payment method: BT
Location: Derby
Advertised elsewhere?: No
Prefer goods collected?: Not fussed

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Custom PC for sale – Now splitting

I am selling my personal PC, built over the years with over 12 years experience, so you can buy with confidence. I have got all the original boxes.
The AIO, Case and PSU is less than one year old.

I am selling due to moving to a laptop
Specification is,

i5 4670K – £110
Corsair H115I AIO – £90
G1.Sniper M5 Intel Z87 – £75
16GB Kingston RAM – £55
840 250GB SSD – £45
Fractal Design Define R5 – £70
Corsair HXi 750W – £100

I can also deliver/meet half way if you would like, although I work during the week time is very limited.

Regards
Dan

Price and currency: 0
Delivery: Yes available
Payment method: BT
Location: Derby
Advertised elsewhere?: No
Prefer goods collected?: Not fussed

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Custom PC for sale – Now splitting

I am selling my personal PC, built over the years with over 12 years experience, so you can buy with confidence. I have got all the original boxes.
The AIO, Case and PSU is less than one year old.

I am selling due to moving to a laptop
Specification is,

i5 4670K – £110
Corsair H115I AIO – £90
G1.Sniper M5 Intel Z87 – £75
16GB Kingston RAM – £55
840 250GB SSD – £45
Fractal Design Define R5 – £70
Corsair HXi 750W – £100

I can also deliver/meet half way if you would like, although I work during the week time is very limited.

Regards
Dan

Price and currency: 0
Delivery: Yes available
Payment method: BT
Location: Derby
Advertised elsewhere?: No
Prefer goods collected?: Not fussed

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – Custom PC for sale

I am selling my personal PC, built over the years with over 12 years experience, so you can buy with confidence. I have got all the original boxes.
The AIO, Case and PSU is less than one year old.

I am selling due to moving to a laptop
Specification is,

i5 4670K – £110
Corsair H115I AIO – £90
G1.Sniper M5 Intel Z87 – £75
16GB Kingston RAM – £55
840 250GB SSD – £45
Fractal Design Define R5 – £70
Corsair HXi 750W – £100

It is advertised on Gumtree.
I can also deliver/meet half way if you would like, although I work during the week time is very limited.

Regards
Dan

Price and currency: 0
Delivery: Yes
Payment method: BT
Location: Derby
Advertised elsewhere?: Advertised elsewhere
Prefer goods collected?: Not fussed

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.