A journalist is hacked on a plane, UC Berkeley is hit with another data breach and a CA hospital pays a hefty Bitcoin ransom. Meanwhile, on the other side of the world, Chinese online auction giant Taobao is compromised, big time. All this and more in The Month in Hacks.
Social Media Giant Falls Prey to Social Engineering Breach
On February 29, Engadget reported that Snapchat had been the victim of a phishing scam when a hacker posed as the company's CEO and emailed a request for information about employees in the payroll department. The hack, which was disclosed on Snapchat's blog, follows on the heels of a breach last summer in which their entire database was accessed. The company announced that it would redouble its training to ensure that employees are never tricked again.
IRS Hack Bigger Than Previously Thought
USA Today reported on February 26 new information on the 2015 IRS hack. It is now known that up to 700,000 taxpayer accounts were accessed, as opposed to the 334,000 originally projected. Scammers may have stolen Social Security numbers and birth dates in order to steal taxpayer identities. The hackers stole personal information from other sources and then used it to correctly guess verification questions, thereby gaining access to the IRS' since-disabled “Get Transcripts” feature, which allowed taxpayers to view their tax transaction histories.
Dark Web Hacker Claims Theft of Mate1 Credentials
Motherboard reported on February 29 that a hacker claimed on the dark web forum “Hell” to have sold the email addresses and plaintext passwords of 27 Mate1.com members. “Their server was compromised and the MySQL database was dumped,” says the anonymous hacker. “I had shell/command access to their server.” The danger for victims isn't just the disclosure of their dating histories, but the likelihood that many use the same credentials for other valuable online accounts. Good password habits and enabling two-factor authentication (where even if a fraudster has your credentials, they cannot simply log in without your knowledge) are the lessons to be learned from attacks like this.
Journo Jarred Hacked on American Airlines Flight
Journalist Steven Petrow got a chilling lesson from a fellow flight passenger who revealed that he had hacked Petrow's computer via the plane's WiFi service while en route. Fast Company reported on February 25 that the hacker recited verbatim an email Petrow had received from a source regarding the FBI-Apple privacy dispute. It isn't a shock that the hacker was able to breach every device on the aircraft given the security vulnerabilities of public WiFi.
Two Major Universities Get Hit by Data Breaches
Fox News reported on February 28 that a hacker had accessed the financial data of 80,000 students, alumni, current and former employees at University of California, Berkeley. The breach occurred in December while the university was patching the security flaw in its financial system. This is the third largest attack on the school, highlighting the difficulty in protecting universities. Unlike financial institutions and tech companies, they cannot close the system in the event of a breach. Meanwhile, Slate reported on February 4 that hackers had accessed the social security numbers and other personal information of 63,000 students, alumni and employees at the University of Central Florida.
Hospital Hijacked: Hollywood Presbyterian Medical Center Pays $17k Ransom
Hollywood Presbyterian Medical Center in CA paid a $17,000 bitcoin ransom to recover medical records that were stolen earlier last month, reported The Washington Post on February 18. “All systems currently in use were cleared of the malware and thoroughly tested,” says chief executive Allen Stefanek. It's not uncommon for high profile victims to pay a ransom for stolen data, as the cost of repairing a breach often exceeds the price leveled by scammers.
Hackers Attack Chinese Online Auction Giant
Chinese consumer-to-consumer giant Taobao was the victim of a major hack, reported Naked Security on February 5. Beginning in October of last year, scammers acquired 100 million emails and passwords from a yet unknown source, which allowed them to access 21 million Taobao accounts in order to post fake reviews and doctor bidding prices. Not only would two-factor authentication have helped stop the hackers, but integration and utilization of rate limiting--where too many different logins from the same place, too many identical logins from different places and too many failed passwords for the same account are flagged as suspicious-- would have prevented much of the damage.
Ringo Starr's Twitter Attacked
Former Beatle Ringo Starr's Twitter was accessed when a hacker breached the email of a marketing employee with access to the account, reported Naked Security on February 16. The scammer was able to reset Ringo's Twitter password and intercept the email without anyone noticing. This shows how once a hacker gains access to an email account, breaching other services becomes a cakewalk. In this case, the hacker was able to reset the marketer's email password by learning his date of birth and nephew's name, both of which were publicly available on Facebook. Although the breach has been settled, simply having stronger security questions and two-factor authentication in place would have prevented the whole mess."