Music, dating, gaming and shopping sites were all in the mix of hacks and breaches this month, while the importance of two-factor authentication gets discussed in civil court and an NFL hopeful learns the hard way to keep his social media accounts secure. All that and more in The Month in Hacks.
Philippines Hacked in Largest Ever Government Breach
On April 14, Wired reported that the Filipino government had been the victim of the largest ever known data breach against a state. “Anonymous Philippines” claimed credit for the attack, in which the group stole data on 55 million Filipino voters. Over 225,000 email addresses, 1.3 million passport numbers and 15.8 million fingerprint records were taken. Shortly after the initial hack a second group, LulzSec Pilipinas, reposted the database. It has since been mirrored and widely shared.
California Casino's Employee Tax Data Hacked
W-2 wages, withholdings and Social Security numbers of employees at Morongo Casino in Southern California were stolen, as reported by The Press Enterprise on April 15. Morongo did not disclose how many employees were affected; however, all those at risk have been notified and offered one year of identity theft protection.
Former Lehman Exec Sues for Cyber Security Negligence
On April 18, The New York Post reported that former Lehman Brothers managing director Robert Millard is suing Long Island real estate attorney Patricia Doran for negligence. Millard claims that her failure to use two-factor authentication to protect her email account led to Millard and his wife Bethany losing nearly $2M. Doran's email was hacked, and the hackers used information related to the purchase of a co-op to pose as the seller's attorney. The Millard's then wired $1.938M to an account at TD Bank. The bank discovered the fraud and notified the Millards. All but $200k has been recovered, for which the Millards are suing in Manhattan civil court. No doubt this case could have interesting implications for the future of cybersecurity responsibility.
Spotify May Have Been Hacked Yet Again
On April 26, Naked Security reported on a fresh batch of Spotify account details being leaked. While it remains unclear if this batch is from a new breach, or among information obtained in the three previous attacks on the streaming service, it emphasizes the importance of regularly updating account credentials. The Pastebin dump included emails, usernames, passwords, account type, auto-renew information and the country of origin for the accounts. Users reported account takeovers, and it remains unclear whether a breach occurred against Spotify directly, or if customers were themselves victims of a phishing scam.
Beautiful People Dating Site Hacked
BeautifulPeople.com, the dating site where new members are admitted by an attractiveness vote, saw the ugly side of the internet when it was breached, reported Wired on April 25. The personal information of 1.1 million users is now for sale on the Dark Web. The vulnerability was repaired in late December, and the company says the hack occurred before July 2015.
Video of Ole Miss Footballer Laremy Tunsil Hurts Draft Status
University of Mississippi offensive tackle Laremy Tunsil dropped from a No. 1 pick to No. 13 after a video of him smoking marijuana through a gas mask was posted to Twitter. He deleted the account shortly after the video posted, but it had already gone viral. He claims the account was hacked. CNN reported on April 29 that Tunsil's Instagram account was also hacked, revealing communication between him and an athletics department administrator discussing Ole Miss paying his mother's utility bill. Tunsil admits to being paid by the university, in violation of NCAA bylaws. While details remain under review, it looks like the lack of two-factor authentication on his Twitter account ended up costing Tunsil $7 Million on his rookie contract due to his draft fall.
Gumtree Notifies Users of Data Breach
Gumtree, the Australian subsidiary of online retail giant eBay, notified affected users of a recent data breach, reported News.Com on April 29. E-mail addresses, names and phone numbers were accessed; however, financial information and passwords remained secure. The breach was localized to Australian users. While payment information was not stolen, those affected could be the victims of future phishing scams.
Hackers Make Off With Minecraft Data
On April 29, The Register reported that Minecraft fan site Lifeboat had been hacked. Security researcher Troy Hunt discovered the breach by identifying bundles of user data on the Dark Web. The hack occurred in January and it appears Lifeboat did not notify users, instead simply forcing a password reset. Hunt and other security experts have criticized Lifeboat for merely hashing passwords and not salting them, which made the credentials easy to crack following the initial exposure.