One of the biggest consumer breaches of all-time hits Yahoo. Concerns over hacking of U.S. voter registration systems grow. Celeb hacking scandals remain prevalent while one hacker pleads guilty and Last.fm sees millions of its user passwords stolen. All that and more in The Month in Hacks.
Yahoo Releases Details on Breach – One of the Largest Ever
On September 22, CNN Money reported that data for 500 million Yahoo accounts had been stolen in a late 2014 breach and that the actors are likely backed by a foreign government. The culprits of the hack are still being confirmed, but Yahoo stated in a prepared statement, “[t]he account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers.” Fortunately, no credit card information was stolen. Yahoo urged users to immediately change their passwords and, as an account security best practice, enable two-factor authentication.
68M Dropbox Users’ Data Goes on Sale
The Washington Post reported on September 7 that the user data stolen during a 2012 Dropbox hack had been listed for sale on the dark Web. “The nearly 5 gigabytes of data represents one of the larger user credential leaks in recent years. Its price is reportedly being set at two bitcoins, the equivalent of about $1,141,” wrote The Washington Post. “There are no reports that the data set has been successfully sold yet.”
Russians Investigated for Taking Aim at November Elections
On September 6, PC World reported that U.S. intelligence and law enforcement were investigating a plot by Russia to tamper with election results. Led by U.S. Director of National Intelligence James Clapper, the investigation comes on the heels of the D.N.C. hack and subsequent WikiLeaks spill, which American officials have blamed on Moscow. ABC News reported on September 28 that the Russians may have attempted to access voter registrations. “There have been a variety of scanning activities, which is a preamble for potential intrusion activities,” says F.B.I. Director James Comey.
43M Passwords Stolen From Last.fm
TechCrunch reported on September 1 that 43 million passwords had been stolen from music sharing site Last.fm. Unsalted MD5 hashing has been identified as the vulnerability. The hack is under investigation.
No More Pippa Pics – Judge Blocks Hacked Photos
U.K. High Court justice Philippa Whipple issued an order on September 28 that photos stolen from Pippa Middleton (sister to Princess Kate) could not be published. Fox News reported that a hacker was seeking $65,000 for the images. A suspect has been arrested.
Tesla Upgrades Security After White Hand Hack
“When researchers at the Chinese firm Tencent revealed they could burrow through the Wifi connection of a Tesla S all the way to its driving systems and remotely activate the moving vehicle’s brakes, they exposed a chain of security problems,” wrote Wired on September 27. Responding to the security flaw, Tesla strengthened the fundamentals of its security with a wireless update to code signing technology. “Cryptographic validation of firmware updates is something we’ve wanted to do for a while to make things even more robust,” said Tesla’s chief technical officer JB Straubel.
Brad Pitt Lives! Hoax Hackers Used Trojan Horse
NBC News reported on September 28 that hackers used a false news story on Facebook to lure readers toward a clandestine landing page containing a malware download. Unfortunately for Brangelina fans, however, the divorce story still seems to be true.
Celebgate Hacker Pleads Guilty
On September 27, the Chicago Tribune reported that Edward Majerczyk, 29, had pled guilty to one count of unauthorized access to a protected computer to obtain information. Majerczyk was specifically accused of using a phishing scheme to access more than 300 Apple iCloud and Gmail accounts from November 2013 to August 2014. These accounts included at least 30 belonging to celebrities in the Los Angeles area – earning the hack the “celebgate” naming. Mr. Majerczyk’s attorney argued before the court that “that there was no evidence of any effort by my client to sell or disseminate any images.”
800K Accounts Affected After Adult Forum Hacked
On September 6, NBC News reported that online porn forum Brazzers had been breached. 790,724 email addresses, usernames and passwords were stolen.
Klepto Crypto – BTC-E Bitcoin Exchange and BitcoinTalk Hacked
On September 2, HackRead reported that the two top crypto-currency sites had been hacked. The social engineering hack occurred in 2015, resulting in the theft of hashed passwords, dates of birth, secret questions/hashed answers and email IDs from Bitcoin Talk.