Category Archives: Cyber Crime

Hackers Stole PayPal Subsidiary Personal Data of 1.6 Million Customers

PayPal notified their all customers on Friday that 1.6 million individuals’ personal data may have been stolen by hackers who broke through the systems of its subsidiary TIO Networks.

TIO Network is a widely transacted bill payment workstation that PayPal attained in July 2017 for some $230 million. The enterprise is based in Canada and it functions some of the major telecom and utility network process in North America. TIO has about 10,000 maintained billers and it assists 16 million customers’ bill pay accounts.

PayPal pronounced that TIO had postponed processes on November 10, in an attempt to defend account holders’ following the detection of security susceptibilities on the subsidiary’s spot. PayPal declared it had found concerns with TIO’s information data security program that did not obey its own values.

An inquiry led in association with third-party Cyber-security professionals exposed that TIO’s network had been broken through, containing servers that saved the information data of TIO customers and clients of TIO billers. PayPal told the attackers may have gained personally recognizable facts (PII) for about 1.6 million users. The influenced individuals and companies will be communicated through email and mailing address and provided free credit observing services via Experian.

Whereas it’s uncertain precisely what sort of information data the cyberpunks have acquired access to, the data shared by PayPal and TIO Network proposes that payment card information data and in some circumstances even social security numbers (SSNs) may have been conceded.

PayPal has highlighted that TIO’s systems have not been integrated into its own platform. “The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure,” the company said.

The New York State Department of Financial Services (DFS) has also published a declaration on the incident.

“DFS is working with our regulated entity, PayPal, to investigate and address issues related to cybersecurity vulnerabilities identified at PayPal’s subsidiary, TIO Networks,” the DFS said. “We applaud PayPal’s rapid response to the matter, which put consumers and business clients first, and we appreciate their efforts to inform DFS, as required, in a timely manner. Events like these illustrate the necessity of DFS’s landmark cybersecurity regulation and underscore the strength and effectiveness of our strong state-based financial services regulatory framework, including for the fintech industry.”

TIO Network told the services will not be fully brought back up until it’s assured that its systems and network are protected.

Imgur Exposes Security Breach And Affects 1.7 Million Users

Famous image hosting website Imgur has pronounced on Friday that cyberpunks stole usernames and passwords of 1.7 million users in an attempt. The breach dates back to 2014 when Imgur yet encoded the stored passwords with the SHA-256 algorithm, which has since been set up too weak to resist instinctive forcing. The company ensured to annotation that the conceded account information contained within only email addresses and passwords, as they’ve certainly not asked for users’ real names, addresses, phone numbers, or any other personally-identifying information.

Image Source

 “On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users,” Roy Sehgal, Imgur’s Chief Operating Officer, explained.

Regardless of being a blessing in the US, where the company is situated, they rapidly started an inquiry to confirm that the data Hunt sent them to be in the right place to Imgur users and when they recognized that it ensures, they initiated informing affected users via their listed email address the next day.

“We take protection of your information very seriously and will be conducting an internal security review of our system and processes. We apologize that this breach occurred and the inconvenience it has caused you,” Sehgal concluded.

Hunt has admired Imgur’s rapid response and supervision of the revelation of the breach, even though some users will confidently be annoyed by the circumstance that the breach occurred and they certainly not observed. Regrettably, data breaches similar to this one have come to be the new normal.

Imgur says they’ve changed to struggling user passwords with the bcrypt previous year. And, rendering to Hunt, sixty percent of the hacked email addresses were previously in Have I Been Pwned’s database i.e. they’ve so far cooperated in earlier breaches.

Cyberpunk Theft Away Driver Records of 57m Passengers, Says UBER

Hackers also bribed UBER for the amount $100k to STFU. The crime occurred a year ago, hoped you wouldn’t discover out.

 

CEO of Uber, Dara Khosrowshahi had publicized today, the hackers had broken into their databases and robbed away 57 million people’s personal information including passengers and drivers. The information contains their names, email addresses, and telephone numbers. The information was stolen from UBER’s ride-hailing app and the cyberpunks deprived off with 600,000 US drivers’ data that contained along with their driving license numbers.

And the theft occurred in 2016 – however, biz executives are quiet about the crime somewhat than alert the people.

In a declaration on Tuesday, Khosrowshahi said the impostors retrieved cloud-hosted database stores:

I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use. The incident did not breach our corporate systems or infrastructure.

At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals. We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.

You may be asking why we are just talking about this now, a year later. I had the same question, so I immediately asked for a thorough investigation of what happened and how we handled it.

“Obtained assurances” is a humorous manner of keeping it.

Undoubtedly this is what the chief executive exposed from that investigation of his: during October 2016, two scoundrels rushed from the app biz’s GitHub code repo the sources required to acquire its AWS S3 database stores comprising the above-mentioned personal records, Bloomberg reports. The cyberpunks then insisted for $100,000 from UBER in exchange for their quietness and to demolish all their stolen data of the records.

Somewhat than caution, national and federal authorities of the personal data theft, as is needed by the California upstart, chief of information security, UBER, Joe Sullivan commanded that the cyberpunks be paid off, the robbed data deleted, and the entire thing was done quietly, leaving passengers and drivers none the wiser. The disbursement was cloaked as a virus bounty prize whole with non-disclosure contracts signed up.

Sullivan, formerly a federal prosecutor, and one of his substitutes were exiled from the company as a concern of the new CEO’s enquiry, we’re told. Khosrowshahi, who was connected at the San Francisco-based nonentity over the summer, said stages have now been taken to make sure this sort of conspiracy is certainly not recurring, and that security breaks will be revealed in open in future as mandatory:

While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.

The top boss was adamant that “outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.” He added that the company was monitoring the affected accounts, and has flagged them for “additional fraud protection.” Anyone affected by the hack will be notified, he said.

It’s worth pointing out that while the company is now alerting the authorities, California’s data security breach notification law requires disclosure in “the most expedient time possible and without unreasonable delay.” Ie, not 12 months later.

As well as distress perhaps preparing in Cali over the quietly, New York Attorney General Eric Schneiderman has also revealed an enquiry into UBER’s data theft – by our computation, maybe simply the fifth most awful thing the controversial bad-boy biz has performed the last year.