Black Friday becomes a hunting ground for online thieves, China denies involvement in a hack on the weather service Down Under and charges come in related to last year's attack on JPMorgan. All that and more in our November edition of, The Month in Hacks.
VTech Gets Security Wake-Up Call After Black Friday Hack
ZDNet has reported that millions of parents were horrified to learn that hackers had accessed VTech's database on Black Friday. Photographs, voice recordings and chat histories numbering into the tens of thousands were stolen by a hacker in a breech that is being blamed on the company's lack of security. Data security expert Troy Hunt stresses, “Taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.” The only silver lining is that the hacker, who has not been identified, has no plans to sell the data.
China Accused of Aussie Weather Attack
Chinese officials have denied involvement in an attack on the Australian Bureau of Meteorology (BoM) as reported by BBC, calling the accusation both groundless and speculative. The BoM is home to one of Australia's largest supercomputers and provides essential information for airlines, logistics firms and water supplies. With its close ties to Australian national security, BoM is a high-profile target in cyber warfare. So far, the agency has refused to comment, citing the ongoing investigation.
Indictments Announced in JP Morgan Hack
Federal prosecutors unsealed the charges against Israeli citizens Gery Shalon and Ziv Orenstein, as well as American Joshua Aaron for masterminding a widespread attack that Manhattan U.S. Attorney Preet Bharara has called “breathtaking” in its scope. The attack occurred last year when the men allegedly stole log-in credentials from over 83 million customers--a bridgeway to other financial crimes, the most lucrative being a securities fraud scam in which they allegedly inflated penny stock prices in a pump-and-dump scheme, said The Wall Street Journal on November 10.
Hacker Accesses vBulletin, Tells Everyone on Social Media
A hacker using the handle “Coldzer0” bragged across multiple social media platforms about having accessed log-in credentials for the software package, vBulletin, reported Naked Security on November 4. Foxit Software was also a victim of the attack, with over half of its 537,000 accounts being compromised. In response, vBulletin has enforced a password update for users and released a security patch. Anyone who administers a site using vBulletin software should download the new security patch to avoid additional breaches.
Stop the Music: Spotify Denies Breach
In a November 14 report, Tech Times said that Spotify is denying a Newsweek article which claims that the personal information of nine individuals was stolen from the streaming service and posted online. There appears to be no clear motivation for the attack, and no one has yet claimed responsibility. “Spotify has not been hacked and our user records are secure," says a Spotify spokesperson--blaming the current crop of leaks on a previous hack of a separate service. Because some customers use the same credentials for multiple services, it's possible that the information stolen from one company can be used to access profiles on additional servers. Customers are therefore urged to update their Spotify passwords.
Hotel Holdup: Hackers Steal Card Data From Payment Systems
A November 15 report from CNET said that Starwood Hotels and Resorts has been the victim of a malware attack on its ancillary payment systems at gift shops and restaurants. Customers who used credit cards at the infected locations potentially had their card information stolen. Starwood, which operates both Sheraton and Westin hotels, has removed the malware and beefed up security in response to the breach.
Amazon Passwords Get the Spotlight
Reports of a possible breach at Amazon during the week of Black Friday follow closely behind the news that the online retail giant had enabled two-factor authentication for its customers. Naked Security posted that some users were being contacted by Amazon about the possibility of a password breach. The communication instructed those users to change their passwords but maintained that “there was ‘no reason' to believe passwords had been disclosed to a third party, but the action was precautionary.” The news serves as a good reminder to turn on two-factor authentication on sites that offer it--and shines the spotlight Amazon for making the positive move.