Cybersecurity News
Homeland Security rolls back its expansion of facial recognition
Travelers have the little-known right to opt out of the biometric process and use their passport instead
12/12/2019 | ConsumerAffairs
By Gary Guthrie
Gary Guthrie covers technology and travel for the ConsumerAffairs news ... Read Full Bio→

Facial recognition has become a rather touchy subject. Earlier this year, a $35 billion class action lawsuit was filed against Facebook over claims that it harvested consumer biometric data without consent. In San Francisco, the subject is so ripe that the city is considering banning all facial recognition technology within city limits.
The U.S. government thinks it’s a touchy subject, too. First, the Federal Trade Commission (FTC) explored facial recognition and recomm...
Security firm finds cache of birth certificate applications exposed online
The data reportedly had no password protection and an ‘easy-to-guess’ web address
12/10/2019 | ConsumerAffairs
By Sarah D. Young
Sarah D. Young has been a columnist for a blog ... Read Full Bio→

An online company that enables U.S. residents to obtain a copy of their birth certificate has exposed nearly 800,000 applications, according to Fidus Information Security.
“More than 752,000 applications for copies of birth certificates were found on an Amazon Web Services (AWS) storage bucket,” according to TechCrunch, which verified the discovery of the UK-based security firm. “The bucket wasn’t protected with a password, allowing anyone who knew the easy-to-guess web...
Sort By
Hackers like Playstation 4 and Xbox One too
Security firm warns new consoles are under cyber attack
12/16/2013 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→

When Microsoft and Sony released new, updated versions of their popular game consoles within days of each other last month, gamers around the world were in seventh heaven. So, it seems, were hackers.
Cyber security firm Kaspersky Lab has been measuring the hacking attempts against the new Playstation 4 and Xbox One units – as well as other game platforms – and has seen a surge, coinciding with the late November releases.
Globally, the company estimates an aver...
Google shutters Google+ in wake of bug affecting over 50 million users
Personal user data is impacted, but the company promises to help users secure and migrate their data
12/11/2018 | ConsumerAffairs
By Gary Guthrie
Gary Guthrie covers technology and travel for the ConsumerAffairs news ... Read Full Bio→

Google’s plans to close down its consumer version of its social network Google+ has been escalated thanks to a bug that impacted approximately 52.5 million users in connection with a Google+ API. In layman’s terms, an API is a set of communication methods used to coordinate development and programming of a computer program.
“With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days,” wrote D...
Marriott’s Starwood Hotels suffers massive data breach
As many as 500 million customer records exposed
11/30/2018 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→

Hackers broke into Marriott International's database, and the hotel chain says they may have gained access to 500 million customers' data. That would make it the largest data breach on record, surpassing the 2017 Equifax breach that exposed credit records of more than 145 million consumers. According to Marriott, the breach occurred at its Starwood Hotel brand. An investigation has revealed that unknown parties gained access to the database sometime in 2014, copying ...
U.S. Customs and Border Protection discloses data breach
Photos of travelers and license plates were stolen
06/12/2019 | ConsumerAffairs
By Sarah D. Young
Sarah D. Young has been a columnist for a blog ... Read Full Bio→

U.S. Customs and Border Protection (CPB) says license plate images and photos of travelers headed into and out of the country were stolen in a "malicious cyberattack" of an unnamed subcontractor at the end of May, the Washington Post reported.
In a statement, the agency said a subcontractor "had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised b...
What to look for in mobile cloud-based storage
Robust encryption and remote wipe can help protect your data
08/14/2013 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→
Hackers and identity thieves are increasingly focused on mobile computing. With so many smartphones and tablets now in use, mobile is increasingly becoming how consumers use the web.
Criminals also like the fact that many mobile devices have little or no security protection – not on the device itself and not on the data that is stored in the cloud.
Mobile data can be stored both places and security experts say both need strong protection. Chris Rancourt, an editor at NextAdvisor.com, says consumers who use an online backup service to store and share their data in the cloud need to be especially careful.
“When you put your information on the cloud, you get this extra level of security with their encryption,” Rancourt said. “Most services now use encryption but some are stronger than others.”
Increasingly popular
Cloud storage and backup services have become increasingly popular. They store data off-site, protecting it from a catastrophic computer crash or other physical damage. They also make it accessible from other computers in other locations.
“Pretty much any information you can upload to the cloud – pictures, documents, videos. And all that information can be encrypted and stored safely inside your cloud or online back-up service,” Rancourt said. “The backup services that we use provide coverage for Apple, Android – pretty much the whole spectrum.”
Rancourt suggests picking a backup service with very robust encryption. One service that falls into that category, he says, is SpiderOak. There is one security feature, in particular, that he likes.
'Zero-knowledge' security
“They have this policy where no one in their company will know your password,” he said. “If you lose your password they can't go in and retrieve it for you. It's really up to you, which makes the security a lot stronger, but at the same time you have to be responsible for your own stuff.”
Absent-minded consumers can run the risk of losing everything if they forget or lose their password. Writing it down in several secure places, however, might be all the insurance policy you need.
Sugarsync is another secure backup service. With Sugarsync, you can safely store important files and then sync them across an unlimited number of computers. If the data is updated on one computer, it's also updated on the rest.
Mozy is a low-cost cloud storage service. The company's backup plans start with one computer per subscription, but it can sync up with other computers that aren't part of the plan.
First line of defense
The best feature of these companies' backup services may be the sophisticated encryption. Rancourt says it provides a great first line of defense.
“For companies like SpyderOak you actually have to have an encryption key in order to decode the information and read it as something legible,” he said. “Most services have something like that as well.”
But hackers are resourceful individuals. Suppose they get access to your cloud and your encrypted information by stealing or finding your lost device. It might look like gibberish at first, but given a few hours, it's just possible some hackers might be able to crack the encryption. That's why you need a second level of defense – remote wipe.
If your device is lost or stolen, remote wipe will still give you access to all your files and documents from another computer but allow you to block access on the missing device. You can even delete files.
“Let's say you keep all your bank information on your cloud,” Rancourt said. “Someone can actually hack in there and steal your identity.”
It should go without saying that you should have robust security features on your hardware as well. Getting a strong mobile security package for your smartphone or tablet will reduce the risks from lost or stolen devices.

Hackers and identity thieves are increasingly focused on mobile computing. With so many smartphones and tablets now in use, mobile is increasingly becoming how consumers use the web.
Criminals also like the fact that many mobile devices have little or no security protection – not on the device itself and not on the data that is stored in the cloud.
Mobile data can be stored both places and security experts say both need strong protection. Chris Rancourt, an editor a...
Hackers increasingly target the church collection plate
Security firms step up plan to provide donated security software
01/26/2015 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→

These days, when you get ready to swipe your card at a big box store, a thought may flash through your mind – “sure hope my data is safe.”
After all, Target, Home Depot, Neiman Marcus and Michaels, among others, have seen their systems breached by hackers in the recent past.
But do you have the same worries about transactions with your church, or other nonprofits? A cybersecurity firm says you should.
TechSoup, an oganization that makes software and techn...
Choice Hotels suffers data breach affecting 700,000 guests
Hackers discovered an unsecured database containing guest records
08/15/2019 | ConsumerAffairs
By Sarah D. Young
Sarah D. Young has been a columnist for a blog ... Read Full Bio→

About 700,000 guests of Choice Hotels -- which is the parent company of chains such as Clarion, EconoLodge, Comfort Inn, and Quality Inn -- may have had their information exposed.
The leak stemmed from an unsecured database, which was unfortunately discovered by hackers first. The unsecured database was most recently discovered by Comparitech and security researcher Bob Diachenko.
The database that was left online and unsecured for four days contained 5.7 million Choice...
Experts recommend Facebook users make changes in light of the social media giant’s latest privacy gaffe
One change is a snap; the other enhances security but requires caution
03/25/2019 | ConsumerAffairs
By Gary Guthrie
Gary Guthrie covers technology and travel for the ConsumerAffairs news ... Read Full Bio→

Even though what happened in Facebook’s recent password bungle was likely more an “oversight” than a hacking invasion, experts recommend that consumers double down to protect their accounts and their personal data when using the platform.
Tech security gurus at the International Institute of Cyber Security told ConsumerAffairs there are two recommended steps to enhance online protection.
The first recommendation is straightforward enough -- change your Facebook password. ...
StubHub "hacked" -- over 1,000 customers affected
This is why you shouldn't use the same password for multiple accounts
07/23/2014 | ConsumerAffairsBy Jennifer Abel
News that over 1,000 accounts at online ticket-seller StubHub have been hacked should serve to remind you of this important online safety rule: don't use the same password across multiple accounts.
The Associated Press first reported on Tuesday that “cyber thieves” managed to fraudulently access more than 1,000 StubHub accounts, and buy themselves tickets in the legitimate accountholders' names.
As hacks go, a mere thousand compromised accounts in a company as large as StubHub sounds like pretty small potatoes. Why was the damage so limited?
According to StubHub spokesman Glenn Lehrman, the thieves never broke into the StubHub customer database. Instead, they got customers' login and password information from other sources, either hacking into different retail databases or even putting keylogging software or other forms of malware on user's computer.
The thieves presumably know how commonplace is it for people to use the same passwords (and sometimes even login names) across multiple accounts, so if thieves have, for example, the password you use for your email, bank account, favorite web-discussion forum or any other password-protected thing you do, they'll also try plugging that password into your other accounts on the off-chance it will work. Where over 1,000 StubHub customers are concerned, it did.

News that over 1,000 accounts at online ticket-seller StubHub have been hacked should serve to remind you of this important online safety rule: don't use the same password across multiple accounts.
The Associated Press first reported on Tuesday that “cyber thieves” managed to fraudulently access more than 1,000 StubHub accounts, and buy themselves tickets in the legitimate accountholders' names.
As hacks go, a mere thousand compromised accounts in a company as...
Facebook suspends ‘tens of thousands’ of apps
The crackdown comes amid growing regulatory pressure on the tech giant
09/23/2019 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→

Amid growing pressure from Congress, the White House, and regulators, Facebook has suspended tens of thousands of apps from its site, citing various concerns.
The action came on the heels of Facebook CEO Mark Zuckerburg’s White House meeting last week with President Trump. The social media giant said it acted out of an abundance of caution. About 400 developers are affected.
“We initially identified apps for investigation based on how many users they had and how much data...
Quora data breach may have affected 100 million users
The question-and-answer site is the latest to be affected by a security breach
12/04/2018 | ConsumerAffairs
By Sarah D. Young
Sarah D. Young has been a columnist for a blog ... Read Full Bio→

Question-and-answer website Quora says it was impacted by a security breach which may have exposed the personal data of as many as 100 million of its users.
Adam D'Angelo, the site’s CEO and co-founder, said Quora discovered late last week that one of its systems had been hacked by “a malicious third party.”
“On Friday we discovered that some user data was compromised by a third party who gained unauthorized access to one of our systems,” D’Angelo said in a blog post. ...
Hackers hijack Starwood Preferred Guest loyalty programs
Another example why you should always use a different password for every important account
01/22/2015 | ConsumerAffairsBy Jennifer Abel

Pretty much any collection of online security tips will remind you not to use the same password across multiple accounts, and this week's news that scammers have managed to hijack and steal points from large numbers of Starwood Preferred Guest loyalty accounts offers another example of why.
Security blogger Brian Krebs reported today that he'd personally heard complaints from two of his readers whose SPG accounts had been hijacked. As Krebs diplomatically explained: &ldq...
Microsoft contractors reportedly snoop on Skype calls
The company says its user agreement allows it do so
08/08/2019 | ConsumerAffairs
By Gary Guthrie
Gary Guthrie covers technology and travel for the ConsumerAffairs news ... Read Full Bio→

“Shh” seems to be the operative word these days at Big Tech. Earlier this year, ConsumerAffairs reported on Amazon employees eavesdropping on consumer’s interplay with their Echo Dot (“Alexa”) devices and Apple being caught red-eared when it was discovered that its employees had the ability to listen in on Siri voice recordings.
Now, Vice reports that Microsoft had its contractors listening to bits and pieces of conversations taken from its Skype platform.
“The Skype aud...
LinkedIn Hacked; What You Should Do
eharmony says 'small fraction' of its passwords also stolen
06/07/2012 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→
If you get an email from LinkedIn saying you need to reset your password, it's real. The social networking site has reported a data breach in which an undisclosed number of passwords were compromised.
"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Vincente Silveira, a LinkedIn director, wrote on the company's blog. "These members will also receive an email from LinkedIn with instructions on how to reset their passwords."
Silveira stresses there will not be any links contained in the email that informs you that you must reset your password. However, once you follow the initial step request password assistance, then you will receive an email from LinkedIn with a password reset link.
Regardless of whether you receive an email, it would be prudent to immediately change the password on your LinkedIn account.
"It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases," Silveira wrote.
A ConsumerAffairs sentiment analysis of about 2.5 million comments posted to social media finds that the news knocking LinkedIn from an overall approval rating of close to 80% to a 24% negative rating.
While the hack attack wasn't the only negative to emerge in the analysis, it was by far the largest, as shown in this chart:
How it happened
Silveira did not say how the data breach occurred, only that an investigation was underway. Chester Wisniewski, Senior Security Advisor at Sophos Canada, wrote in his blog that it is imperative that LinkedIn also determine whether email addresses, often a user name, were also compromised. LinkedIn has more than 161 million members who use the site to expand their business and professional contacts.
About 6.5 million passwords have been posted online and the company says some of them do appear to be LinkedIn passwords. Others appear to be passwords for eHarmoney accounts, security experts say.
EHarmoney said a "small fraction" of its member passwords had been compromised and that it is investigating. Meanwhile, it said affected passwords have been reset.

If you get an email from LinkedIn saying you need to reset your password, it's real. The social networking site has reported a data breach in which an undisclosed number of passwords were compromised.
"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," Vincente Silveira, a LinkedIn director, wrote on the company's blog. "These members will also receive an email from LinkedIn with instructions on how ...
Facebook privacy issue exposes deeper concerns about the internet
Mark Zuckerberg does damage control on conference call
04/05/2018 | ConsumerAffairs
By Mark Huffman
Mark Huffman has been a consumer news reporter for ConsumerAffairs ... Read Full Bio→

Facebook CEO Mark Zuckerberg, who will testify before a House committee next week, took questions from reporters on a conference call Wednesday and discussed his company's efforts to better protect users’ data.
Zuckerberg took responsibility for the data leak and pledged to make the system better. However, he cautioned his listeners not to expect instant results.
"These are big issues," he said. "This is a big shift for us to take a lot more responsibility. It's going to ...