Cybersecurity

Is 2024 the year of the data breach? It certainly seems like it with what's happened to AT&T, Ticketmaster, and Advanced Auto Parts.

Now, less than a year after suffering through filing for bankruptcy and a spate of store closings, Rite Aid has gone public with its discovery of an “incident” that involved “certain consumers’ personal information," too.

In its disclosure, the company said that on June 6, 2024, an unknown third party compromised certain business systems by impersonating a Rite Aid employee. The company said it detected the incident within 12 hours and immediately launched an investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted. 

Are you affected?

If you are a Rite Aid shopper or use its pharmacy to fill prescriptions, you no doubt are concerned about the safety of your personal data. To that end, the company admitted that the data included:

• Purchaser name

• Address

• Date of birth 

• Driver’s license number or other form of government-issued ID…

...“presented at the time of a purchase between June 6, 2017, and July 30, 2018.”

However, Rite Aid said no Social Security numbers, financial information or patient information was impacted by the incident. The company did not release the total number of records compromised in the breach.

The company said it is mailing letters to any potentially affected consumer who was associated with a mailing address in its systems.

“We regret that this incident occurred and are implementing additional security measures to prevent potentially similar attacks in the future," the company said in its announcement. 

"We are committed to protecting consumers’ information, and anyone with additional questions may call our dedicated assistance line toll-free at (866) 810-8094 from 8 a.m. to 5:30 p.m. Central Time, Monday – Friday, excluding holidays.”

“If you are a Rite Aid consumer who did not receive a letter regarding this incident, but you would like to know if you were affected, please call our dedicated assistance line."

In its report on the second quarter of 2024, the Identity Theft Resource Center (ITRC) found the number of publicly reported data breaches declined 12% over the second quarter of 2023. However, the number of people affected by those breaches surged, rising to 1,041,312,601, a 1,170% increase over the same period in 2023.

How many “smart” devices are in your home? And how many are vulnerable to hackers?

Those are not questions many consumers ask themselves but should. Thermostats, garage door openers – anything that can be controlled using your smartphone – are connected to the internet.

The Federal Communications Commission (FCC) is creating a voluntary cybersecurity labeling program for Internet of Things (IoT) devices and other consumer-facing products that rely on an internet connection. The idea is to make consumers more aware that these devices are connected to the internet and, just like PCs and tablets, need protection.

Dominic Chorafaklis, a principal at cybersecurity firm Akouto, says the FCC’s move is a step in the right direction but that a lot more needs to be done.

How concerned are manufacturers about security?

“The companies that make consumer IoT devices tend to be more concerned about keeping their products cheap and simple than about making them secure, which does come at a cost,” he told ConsumerAffairs. “Even when security features are built in, they often rely on consumers taking steps to enable them and configure them correctly.”

And many times, consumers don’t. They often keep the default login, which tends to be very simple and very hackable.

Tim Mackey, head of Software Supply Chain Risk Strategy at Synopsys Software Integrity Group, says the U.S. is just catching up with the rest of the developed world by taking this step.

“From a consumer perspective, this new program is completely voluntary,” Mackey said. “That means that we won’t suddenly see an influx of certified devices on store shelves or from online retailers. Instead, consumers should expect to see manufacturers who take cybersecurity seriously aggressively pursuing certification.”

Some will and some won’t. Mackey says consumers should look for the certification label and QR code when shopping for smart devices because their security will be the most robust.

The weakest link

Maria-Kristina Hayden is CEO and founder of OUTFOXM, a cyber hygiene and resiliency company. She comes from a background in U.S. intelligence, where cybersecurity is a top priority. She points out that one weak IoT device in a home can grant an attacker access to all other devices on that home network.

“Consumers must be provided with easy-to-understand instructions about choosing secure IoT devices and how to configure settings,” she told us. “This is where the FCC's proposal should really help.”

The FCC says the smart products covered by its new rule and that meet certain requirements will be able to use the label on packaging and advertising, similar to the ENERGY STAR label that shows that a product is energy efficient. Outside, accredited research labs will perform the testing.

With scammers running rampant this holiday season, it’s more important than ever for consumers to stay vigilant and safe in the final weeks leading up to Christmas – and into the new year. 

In an effort to bring some levity to the serious situation of cybersecurity, while also providing consumers with tangible advice on staying safe, Karin Garrido, vice president and general manager at AT&T, Pacific States, shared “The 12 Cybersecurity Don’ts of Christmas” with ConsumerAffairs. 

While the security tips may seem funny and lighthearted – and they are – their sentiments ring true. With online shopping, shipping gifts, and the general frenzy of the holidays, it’s easy to get lax with online security measures. 

With Garrido’s advice, the goal is to keep your private information private for the holiday season and beyond. 

The 12 Cybersecurity Don’ts of Christmas

Here is Garidoo’s official “12 Cybersecurity Don’ts of Christmas:” 

1. Re-gifting passwords: Just like last year's fruitcake, re-gifting passwords across multiple accounts is a no-go. Santa uses a password manager.

- If you use the same password on several accounts, then all those accounts are vulnerable if your password is exposed on just one of them. It’s hard to keep track of so many passwords, so a reputable “password manager” is a good option. 

2. Clicking on mischievous links: Not all links are wrapped with good intentions. Think twice before clicking on them, and three times before entering information.

3. Ignoring software update elves: These diligent elves deliver security patches that shield devices from new threats. Don't ignore their hard work!

4. Typing Santa’s credit card number on an open network: Public Wi-Fi networks can be as open as a chimney on Christmas Eve. Don’t expose sensitive intel to cyber-Scrooges.

- As a precaution against electronic snooping, you should avoid typing in sensitive information like credit card numbers when you’re using public Wi-Fi. 

5. Keeping a cluttered digital house: You might get unwanted company, so it’s wise to delete old downloads and emails that are full of personal information.

- If someone succeeds in breaking into your email or computer, what will they find? If you don’t need old emails with your Social Security number and other personal information, it’s best to delete them.

6. Downloading a Trojan reindeer: Untrusted software downloads can be like a Trojan reindeer, carrying unwanted malware gifts.

- This is a longtime safety tip. Don’t download software from non-trusted sites or unexpected pop-ups.

7. Forgetting to back up data: Regular data backups are like keeping an extra set of presents in the attic, just in case. 

-If you have documents or photos that you wouldn’t want to lose, copy them in more than one secure place on a regular basis. 

8. Oversharing on social media: Oversharing personal information is like leaving your doors and windows wide open during the holidays. Facts about you can be used by fraudsters in many ways. Your pet’s name or mother’s family name may be a backup for a forgotten password. 

9. Bypassing multi-factor authentication: This adds an extra layer of security for your accounts, just like double wrapping those precious gifts. If a criminal gets your password, an extra line of defense can help keep them out of an account. 

10. Leaving devices unattended: Devices left alone in public places are as tempting as unattended milk and cookies. Use a screen lock, too.

11. Using Santa123 as the North Pole password: Weak and predictable passwords are like a flimsy lock on a treasure chest of gifts.To make a password long and strong, consider a passphrase with several words inside it. Longer is recommended to help defeat automated password guessing. 

12. Having a bit of eggnog and forgetting to log off a public device: This is like leaving your sleigh full of gifts unattended in the town square. Occasionally we all may need to log into a hotel or public library computer. Uncheck “remember me” and don’t forget to log out. 

Scams don’t end with the holidays

Though the holiday season will wrap up in a few weeks, that doesn’t mean scammers’ work is done. Consumers need to keep cybersecurity at the top of their minds into the new year, as advancements in technology are likely to make it easier than ever to be on the receiving end of a scam. 

“The rise of AI and Deepfakes will result in more sophisticated communications fraud and imposter attacks,” Clayton LiaBraaten, senior executive advisor at Truecaller, told ConsumerAffairs. “In 2024, large language model (LLM) technology will enable highly granular data scraping and mining to enable extremely targeted, contextually relevant scam and fraud campaigns at scale."

Yes, 2024 is an election year. Consumers will likely be inundated by political voice and text SPAM. Not all of it will be legitimate.

Shopping has been in the news lately as Amazon, Walmart and Target have all announced special sales promotions for mid-July. 

Amazon started it all with its annual Prime Day and it remains the best-known of the sales. This week’s ConsumerAffairs-Trend Micro Threat Alert shows scammers are taking advantage of it.

Amazon phishing 

• Trend Micro's research identified a phishing scam in which an SMS message prompts the victim to verify their Amazon account via a fake login page. 

• The top five states being targeted are Virginia, California, Florida, Texas, and Georgia 

“Scammers are ramping up to take advantage of the annual Amazon Prime Day on Tuesday, July 11th. Consumers who want to take advantage of this day of savings should be vigilant in looking out for the plethora of scams we’re likely to see occur, Jon Clay, vice president for Threat Intelligence at Trend Micro told ConsumerAffairs. “Trend Micro’s research team has detected Amazon SMS phishing attacks looking to steal the account owners’ credentials with the top five states being targeted the most Virginia, California, Florida, Texas, and Georgia.”

Travel scams 

• From April 1 to June 26, Trend Micro's research team found 1,979 travel-related scam URLs, which increased by 24.6% compared to the past weeks. This included three fake Booking.com login pages 

• Over one-third of the victims in the U.S. are from Oregon: 32.37%. 

• The top five states being targeted are Oregon, Virginia, Washington, Pennsylvania, and Illinois 

With the Fourth of July coming up Americans are hitting the road in greater numbers and scammers are deploying all types of schemes to ensnare victims. ConsumerAffairs recently reported on several of these summer travel scams, along with ways to avoid them.

Costco Survey Scam 

• Trend Micro's research found scammers inviting customers to participate in a short Costco survey to get a $100 cash value prize. The scammers wish to collect victims’ private information and credit card information. 

• The top five states being targeted are California, Alabama, Texas, Illinois, and Nebraska 

This scam is increasing again, probably because it is highly successful. The victim receives an email that looks like it is coming from Costco and asks the recipient to fill out a short survey.

The bait is a gift card or other item with at least $100. That should be a red flag since retailers can’t afford to pay that much for a consumer’s feedback. The scam seeks to steal personal information, along with credit card information.

FedEx Phishing 

• Trend Micro's research identified scammers impersonating FedEx to ask email receivers to declare their imported items via specific instructions. Victims were prompted to log in on a fake website to collect the victim’s personal information.  

• Trend Micro's research team found 194 logs on June 23. 

“FedEx does not request, via unsolicited mail, email, or text, any personal information pertaining to your account credentials or identity,” the company says on its website. “If you get a suspicious email, do not reply or cooperate with the sender.”

FedEx says red flags include an urgent request for money in return for the delivery of your packages and requests for your personal and financial information.

Office Printer Phishing 

• Trend Micro's research identified scammers pretending to be Office Printer and sent victims a notification letter to redirect them to ‘View Document’ or ‘Download Document.’  

• Trend Micro's research team detected 371 logs on June 26. 

The scammers sending out these emails hope to deceive recipients into clicking on a link. If they do, recipients open a bogus website where scammers try to steal the passwords of email accounts.

If you have an iPhone, you can move on to the next ConsumerAffairs story – but if you have an Android device, your next move should be to look at all the apps on your device. Google has sent up a flare warning billions of Android users that they are in danger of being harmed by 19 different apps.

These malicious apps cover everything a scammer has in their toolbox: adware, malware, spyware, trojans, and more. All can infect a phone, steal your identity, passwords, or financial information like credit card numbers and bank accounts.

The apps that need to be deleted

When you look at the following list, there are apps you may have used in the past with zero problems. But, dastardly scammers have gone as low as they know how, downloading these apps themselves, reengineering them by adding in the malicious code and then putting them back on the Google Play store, according to MalwareFox.

1. Fare Gamehub and Box

2. Hope Camera-Picture Record

3. Same Launcher and Live Wallpaper

4. Cool Emoji Editor and Sticker

5. Amazing Wallpaper

6. Simple Note Scanner 

7. Universal PDF Scanner 

8. Private Messenger

9. Premium SMS

10. Blood Pressure Checker

11. Cool Keyboard

12. Paint Art

13. Color Message

14. Vlog Star Video Editor

15. Creative 3D Launcher

16. Wow Beauty Camera

17. Gif Emoji Keyboard

18. Instand Heart Rate Anytime

19. Delicate Messenger

We repeat -- in their original form there was nothing wrong with these apps. According to Google, scammers have changed them to make them dangerous.

The U.S. Department of Justice (DOJ) this week rolled into Wisconsin, waving badges, seizing computers, and taking the personally identifiable information of millions of Americans off the market.

It’s about time.

Coming to the rescue is “Operation Cookie Monster,” a high-level all-hands-on-deck effort where the DOJ utilized 45 FBI field offices and international partners from Sweden to Romania to seize Genesis Market’s motherlode of consumer usernames and passwords for email, bank accounts, and social media.  

All in all, millions of passwords and email addresses were provided from a wide range of countries and domains. These emails and passwords were sold on Genesis Market and were used by Genesis Market users to access the various accounts and platforms that were for sale. Then, down stream, cybercriminals used this data for purposes ranging from identity theft to phishing attacks to credential stuffing. 

“Genesis falsely promised a new age of anonymity and impunity, but in the end only provided a new way for the Department to identify, locate, and arrest on-line criminals,”  said Deputy Attorney General Lisa Monaco. “The Department of Justice is shining a light on the internet’s darkest corners – in the last year alone, our agents, prosecutors, and partners have dismantled the darknet’s largest marketplaces – Hydra Market, BreachForums, and now Genesis. Each takedown is yet another blow to the cybercrime ecosystem.” 

Were you part of the personal data that Genesis had?

While the DOJ prevented Genesis from pushing consumer ID information any further, you, me, and everyone else is still at risk because of what’s already rung the cash register for the data seller on the black market.

The FBI has reached out to Have I Been Pwned (HIBP), a free resource for people to quickly assess whether their access credentials have been compromised (or “pwned”) in a data breach or other activity. Victims can visit HaveIBeenPwned.com to see whether their credentials were compromised by Genesis Market so that they can know whether to change or modify passwords and other authentication credentials that may have been compromised.

And whether you know that you’re a victim or just think you’re a Genesis victim, it would be smart to see if any of your email addresses at any time in the last several years turned up on the dark web.

When ConsumerAffairs checked Have I Been Pwned against our personal email accounts, there were breaches that have widespread implications: Adobe, Dropbox, and Zynga (the creator of Words with Friends) which exposed 173 million unique email addresses alongside usernames and passwords.

Prepared in conjunction with the FBI, HIPB provides the recommended guidance for those that find themselves in this latest collection of data. Those steps are detailed in the section with the gold background on this page.

When the artificial intelligence (AI) platform ChatGPT burst into public consciousness early in the year, cybersecurity experts warned it wouldn’t be long before the bad guys made use of it. They were right.

In a recent post, Nati Tal, head of Guardio Labs, warns that hackers have hidden fake ChatGPT functionality inside a Chrome browser extension. Hackers entice Facebook users to load the extension using ads on the platform.

Once the extension has been loaded, it gives hackers the ability to hijack Facebook accounts and give them nearly complete control, including “super-admin permissions.”

Tal says his company's research found that the fake extension is being used to target well-known Facebook business accounts. Once in control, the hackers can create Facebook bots and other malicious items.

In his post, Tal said his team has uncovered “endless” campaigns abusing the ChatGPT brand, distributing malware and phishing for credit cards.

“On 3/3/2023, our team detected a new variant of a malicious fake ChatGPT browser extension, part of a campaign started in early February with several other ChatGPT branded malicious extensions,” Tal wrote. “This time upgraded with a threatening technique to take over your Facebooks accounts as well as a sophisticated worm-like approach for propagation.”

Guardio researchers found the "Quick access to Chat GPT" extension was downloaded as many as 2,000 times per day since March 3. The company says it was pulled by Google from the Chrome Web Store on March 9.

'Quick access to ChatGPT'

The fake extension, identified as “Quick access to ChatGPT,” was offered as a quick way to get started with ChatGPT directly from your browser. Guardio says the extension does, in fact, provide that. However, it also “harvests” as much data as it can from your browser. It steals “cookies of authorized active sessions to any service you have, and also employs tailored tactics to take over your Facebook account.”

The takeaway, says Tal, is web users must be even more careful than in the past. Hackers have managed to stay one step ahead of major players like Google so individuals have to take precautions to protect themselves.

“These activities are, probably, here to stay,” Tal concludes. “Thus we must be more vigilant even on our day-to-day casual browsing — don’t click on the first search result, and always make sure you won’t click on sponsored links and posts unless you are pretty sure who is behind them!”

Over the last few months, hackers have had to step up their game, finding new targets and developing even harder-to-detect attacks. That’s because defenses have improved.

A new report from Cybersecurity firm Trend Micro found a huge 55% increase in overall threat detections in 2022 and a 242% surge in blocked malicious files, as threat actors indiscriminately targeted consumers and organizations across all sectors.

But the bad guys don’t just accept a drop in “business.” The report illustrates how hackers have adjusted, putting even more people and organizations at risk.

“To combat waning ransomware revenues — a staggering 38% decrease from 2021 to 2022 — active ransomware actors have increased their level of professionalism to ensure higher ransomware payouts,” the report’s authors write. “In the past year, we’ve seen them take a page out of the corporate handbook to diversify, rebrand, and even offer professional services such as technical support, with the goal of keeping their attacks potent.”

Emerging trends

The report identified a number of emerging trends in cyberattacks, including these:

• The top three MITRE ATT&CK techniques show that threat actors are gaining initial access through remote services, then expanding their footprint within the environment through credential dumping to utilize valid accounts.

• An 86% increase in backdoor malware detections reveals threat actors are trying to maintain their presence inside networks for a future attack. 

• The number of critical vulnerabilities doubled in 2022. 

• The Zero Day Initiatives (ZDI) observed an increase in failed patches and confusing advisories.

• Webshells were the top-detected malware of the year, surging 103% on 2021 figures. LockBit and BlackCat were the top ransomware families of 2022.

Hackers are operating like a business

The researchers say ransomware groups rebranded and diversified in a bid to address declining profits. In the future, Trend Micro expects these groups to move into adjacent areas that monetize initial access, such as stock fraud, business email compromise (BEC), money laundering, and cryptocurrency theft.

Jon Clay, vice president of threat intelligence at Trend Micro, says hackers’ attempts to boost their profits pose a threat to everyone.

“A surge in backdoor detections is particularly concerning in showing us their success in making landfall inside networks,” Clay said. “To manage risk effectively across a rapidly expanding attack surface, stretched security teams need a more streamlined, platform-based approach."

This statistic might want to make you throw your computer or smartphone in the trash can but you need to hear it: A frightening 91% of all Americans are between “moderate to extreme risk” of digital crimes.

And if that number didn’t move you, let’s try this one: Federal Trade Commission (FTC) data show consumers lost nearly $8.8 billion to scams in 2022.

According to a new Digital Crime Index from Aura, a firm engaged in intelligent safety for consumers, not only are few of us safe, but some of us are in even great peril.

Aura’s researchers found that demographics that have become extremely susceptible to digital crimes are Black Americans, women, parents, veterans/active-duty military, and members of the Gen-Z generation.

The data show:

•  Compared to those without children, parents carry a bigger financial toll from being a victim of a digital crime -- seeing 15 times greater loss with an average of $24,188 lost per incident. And Aura says the finger needs to be pointed at all those devices parents have around the home. On average, parents have three more devices in their home compared to most Americans.

• Gen-Z faces a significant risk of digital crime compared to other generations surveyed, which rank at high risk. When Gen-Z respondents were asked if they protect themselves from digital crimes, only 52% said yes. Gen-Z’s older sibling Gen-X does the best of the four generations surveyed, with 68% saying they protect themselves digitally.

• Black Americans are five times more likely than White Americans to be at severe risk of a digital crime.

• Even though men statistically have more violent crimes committed against them, Aura found women are at an elevated risk of a digital crime and stand to lose 6 times more financially. Perhaps what is most alarming is the difference between the average loss for a woman who falls victim to a digital crime vs. a man. On average, women lose over $10,000 more than men per crime. Just ask Rebecca…

• One in every two veterans and active-duty service members who have experienced digital crime have been victims of more than one type of digital crime. Most of those were victims of a government data breach, the researchers said.

"There's no question that technology has enabled incredible progress in society and in our individual lives, but by oversharing online and over-trusting our digital interactions we're putting ourselves and our families at extreme risk," said Aura founder & CEO Hari Ravichandran. "In fact, the Index shows that 60% of Americans have already reported being a victim of at least one online crime and that number is growing every day.”

AI could make things worse, too

With all the hoopla surrounding AI – artificial intelligence – that 91% high-water mark could go even higher. In fact, it’s already starting to show its ugly side with more fake job scams starting to emerge.

"Consumers should be aware that as artificial intelligence becomes more sophisticated, it may be used by marketers in ways that put their privacy at risk,” Nicky Watson, founder of Cassie, a pioneer in consent and preference management, told ConsumerAffairs.

She said that AI-powered search engines will be able to gather and share more data about consumers than ever before. And, since no one’s trying to regulate AI, Watson says the prospect of those search engine companies selling large sets of consumer data to other companies could lead to real-world consequences for consumers. 

“For example, imagine a consumer is concerned about a health issue, so they search the issue online and visit websites relating to the condition. If an AI-powered search engine company sells that consumer’s online activity to a health insurance company, data about the consumer could impact the cost of their health insurance premiums,” she suggested.

“Consumers should proceed with caution when using AI tools and they should think about the long-term unintended consequences of how their data could be used against them.”

If you’re headed out for spring break, you’ll likely have some unwelcome company. From its perch, online security provider NordVPN says that from booking platforms to apps, holiday scammers have their suitcases packed and ready to make as many vacationers' lives as miserable as possible.

Marijus Briedis, cybersecurity expert at NordVPN, laid out everything a spring breaker needs to protect themselves and ensure a scam-free time.

Briedis’ first warning starts with anyone who may still be searching for deals on accommodations, airfares, etc. 

“Most of us will have used booking platforms or comparison sites to find our perfect break, but how do you know you’re getting the best price for your vacation?” he asked.

“As well as the time of year, your location and tracking data can also play a role in the type and price of deals you are offered by travel companies. If you are visiting a website you have used before, clear your cookies beforehand and hide your location through your browser’s ‘incognito’ mode to see if it gives you access to better offers.”

While it may be a bit of shameless self-promotion, Briedis did offer one unique advantage of having a VPN, which basically masks who and where an online surfer is -- and could pave the way for a better deal.

“You might even find that using the booking website for a country you’re visiting, by using a VPN, is cheaper than booking from home," he offered. "Our researchers found that for six days’ car hire in Dublin, Ireland, this March the price they were quoted going through Expedia’s Irish site was less than half that for exactly the same rental package through the US site.”

Phishing poles, un-updated apps, and free wi-fi traps

Given their success over the 2022 holidays, scammers are likely to amp up their phishing efforts, too. Briedis said that scammers will be out in force with fake offers designed to target things like a person’s details and bank balances and mimic genuine customer loyalty schemes.

“Check any offer by visiting the company’s website separately and don’t click on any email links or attachments unless you are sure you’re dealing with a legitimate business,” he said.

Other things people should consider strengthening include:

App updates: Hackers constantly watch for vulnerabilities in apps and try to figure out how to make some hay off those holes. Briedis suggests making sure all your apps are up to date before you take off.

Stay off of social media: This may be tough to do, but leaving Facebook, Instagram, Twitter, and any other social media platform you use alone while you’re vacationing could help keep scammers’ curiosity in check. 

“Not only can burglars looking at your feed discover your home is empty, seeing you on real-time social media like Instagram Live can reveal that you’re not around to defend your property. Even those very familiar with online privacy can still give away a stack of personal information through mistimed posts including upcoming travel plans.”

Public wi-fi is loaded with prying eyes: Briedis suggests that whether you’re in an airport or a hotel lobby, try to resist using the free public wi-fi those places may offer.

His reasoning is that free wi-fi is an added opportunity for cybercriminals to access and compromise your security. Not only can criminals set up fake hotspots, but they can also hack into unsecured public routers and monitor your online activity as well as drop some malware onto your device.

If anyone needs proof that cybercriminals leave no stone unturned, all they need to do is check out this claim from MakingUseOf (MUO): Clicking on Google search results could cost you all your passwords!

This new twist on phishing is built around attracting eyeballs to the very top of Google’s search results where Google’s algorithms attempt to reflect the things someone is looking for or a paid placement by a company.

MUO said that these evil-doers might include an excerpt taken from a dictionary or a website, a range of similar questions to your query, two or three ads, and then the actual search results from Google.

And if someone clicks on one of the fabricated links or ads, they’re immediately transported to a brilliantly spoofed website where a hacker will gladly take passwords, personally identifiable information, and other important digital credentials off their hands.

MUO’s David Rutland pointed to Microsoft Outlook as a prime example. He said that if a user was searching for “Outlook help” and clicked on a malicious link, they could easily wind up at what they think is a real Microsoft-driven site where they put in their Outlook username and password to log in.

“The visual style of most of these elements is different enough from the meat of the results that it's easy to scan past them and scroll down,” Rutland wrote. “The adverts, however, are not immediately recognizable. They use the same link color as regular results, and have the same length of summary and selection of site links to URLs within the website.” 

And to an unassuming user, that could spell trouble – particularly for older users.

“Clicking adverts by accident is a familiar and frustrating feeling. It's made worse by the fact that there's a tendency among older computer users to simply type the name of the service they want to use into the search field and then click on the top result, rather than type in the actual URL,” Rutland said.

Google comments

When ConsumerAffairs asked Google to verify MUO’s claims, a spokesperson said it is, indeed, aware of what’s going on, and it’s voluminous – to the tune of blocking over 100 million phishing attempts every day. Nonetheless, the company said it’s doing everything it can to get these hackers out of its – and our – lives.

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.”

Safety suggestions for consumers

Google said that even though it’s the company’s job to do everything it can to block bad ads on its platform, “sometimes bad actors can temporarily evade our detection.” 

To help consumers prevent being sucked up in this fake ad vortex, Google shared some tips and tools. 

Learn more about the ads you see and the advertisers behind them: Google said that by clicking on the three dots that appear next to an ad, a user can go to My Ad Center which includes basic information about the advertiser, including whether or not they are a verified business. 

When ConsumerAffairs tried out that trick, we have to admit it was pretty impressive. Not only were we shown when the source was first indexed by Google, but also if our connection to the site was secure or not.

It also has a nifty feature where a user can remove a specific search result so it doesn’t pop up in the future.

In the coming months, Google said it will be rolling out additional transparency tools so that searchers can learn even more about the advertisers behind an ad.

Spot malicious behavior and double-check URLs:  Hackers love big brands because if someone is in a hurry to get something fixed or a question answered, they may not take the time to fully inspect the validity of a site’s URL or whether a phone number is real or not. And, being careless can lead to being fleeced by a cybercrook pretending to be one of those big brands.

To get around that issue, Google recently started adding site names to search results and ads on mobile, so users can more easily identify the website that’s associated with each result at a glance.

“You should always be wary if someone is urgently requesting you to do something like send money, provide personal information, or click on a link. Chances are, it could be a scam,” the company said.

Enroll in 2-Step Verification (2SV): Google – as well as Apple and Microsoft – have been working toward a passwordless future, but we’re not there yet, so for now, passwords are here to stay. And that calls for extra precaution.

Google is encouraging everyone to, at minimum, enroll in 2-Step Verification (2SV). Taking that step adds another layer of protection to online accounts by requiring the user to not only enter their password, but an additional piece of information as well. 

“This way, if your password is stolen, a bad actor still needs more information to gain access to your account. And to keep those credentials safe in the first place, we also encourage the use of Google Password Manager,” the company told ConsumerAffairs.

“Google Password Manager will not only create unique passwords that are hard to crack but will also store them all for you so you don’t need to keep that little piece of paper in your drawer you write them all down on.”

It’s been relatively quiet in the hacker world when it comes to major companies, but Valentine’s Day brought an all-out alert from the Cybersecurity and Infrastructure Security Agency (CISA).

It noted that several major software companies and service providers were asking users to update their systems to address vulnerabilities in multiple products and prevent hackers from taking control of an affected device.

CISA informed ConsumerAffairs that attackers are actively attempting to break into products from Apple, Adobe, Microsoft, and Mozilla. According to WindowsReport, several of these are “critical” as far as severity is concerned – such as Adobe Photoshop and Adobe InDesign. 

The following is a list of the affected products and links to the updates for those products:

Apple 

CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:

•   Safari 16.3.1

•   iOS 16.3.1 and iPadOS 16.3.1

•   macOS 13.2.1

Adobe

CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.

• After Effects APSB23-02

• Connect APSB23-05

• FrameMaker APSB23-06

• Bridge APSB23-09

• Photoshop APSB23-11

• InDesign APSB23-12

• Premiere Rush APSB23-14

• Animate APSB23-15

• Substance 3D Stager APSB23-16

Mozilla

Mozilla has released security updates to address vulnerabilities in Firefox 110. 

CISA encourages users and administrators to review Mozilla’s security advisories for Firefox 110 and Firefox ESR 102.8 for more information and apply the necessary updates.

Microsoft

Microsoft has released updates to address multiple vulnerabilities in Microsoft software. CISA encourages users to review Microsoft’s February 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Chances are your home has a few “smart devices,” things like video doorbells or a thermostat you can control with your smartphone. They can make life easier but cybersecurity experts warn that “digital burglars” can use them to virtually burglarize your home.

Steve Grobman, chief technology officer (CTO) at McAfee, points to a recent study by the Florida Institute of Technology that found that the companion apps for several big brand smart devices had security flaws. That's a problem since all of these devices connect to the internet.

“Eight of the 20 apps associated with connected doorbells, locks, security systems, televisions, and cameras they studied…could allow attackers to intercept and modify their traffic,” Grobman told ConsumerAffairs. “This could lead to the theft of login credentials and spying, or it could lead to the compromise of the connected device itself. That’s unsettling, given that we’re talking about things like smart door locks.”

The experts we consulted said smart home devices are like any other device that connects to the internet. They need strong protection.

Start with strong passwords

Lumen Technologies Chief Privacy Officer (CPO) Hugo Teufel, a former CPO at Dept. of Homeland Security, says all of these devices need strong passwords and should have access to regular software updates. 

“The best decision anyone can make? Make sure their smart device’s operating software and apps are updated when that update becomes available,” he told us.

Michael Gibbs, the CEO of Go Cloud Careers, says not all smart devices are created equal when it comes to security. Some are more hackable than others. 

Some of the things that determine a smart device’s strength against a hack include the operating system firmware, and the degree of security integrated into the product. Older devices may be more vulnerable.

“If consumers' devices are hacked many problems can occur, ranging from doors being unlocked, personal information being stolen, and cameras recording peoples’ private lives, to life-threatening problems like fires in ovens and other appliances if they were to be remotely hacked and turned on,” Gibbs said.

What to do

What can consumers do to protect themselves? First, be aware of the potential threat. Then, mount a strong defense.

“Broadly speaking, they involve two things: protecting your devices and protecting the network they’re on,” Grobman said. “These security measures will look familiar, as they follow many of the same measures you can take to protect your computers, tablets, and phones.”

And it should go without saying that consumers should create strong user names and passwords. Most devices will come with default security credentials. If you don’t change them – and many consumers don’t – even a novice hacker can break in.

Since many smart devices can be controlled with a smartphone, Teufel says it’s important to keep the phone’s operating system up to date.

“Using the most current operating system, apps and web browsers help defend your phone and its contents against online threats,” he said.

In addition to smartphones, your home internet network is also a first line of defense. Grobman says you may need to upgrade to a new router if you’re using an older one lacking strong security features. Gibbs agrees that protecting the network is critical.

“If a hacker can get on the network, they can hack these devices,” Gibbs told us. “The best protection is to keep hackers out by using a firewall to protect the network, using strong passwords, patching all systems to protect against security vulnerabilities, and leveraging security software like antivirus and antimalware to protect the systems on the network.”

If you have an iPhone, you can move on for now, but if you have an Android phone, you should pay close attention – particularly if you are a customer of Chase, Citibank, Bank of America, Capital One or Wells Fargo.

There’s a new piece of malware called “Hook” that is being spread through fake banking apps claiming to be from some major bank brands (here’s a complete list of banks).

Once Hook gets on your Android device, hackers can take over and remotely control your phone from anywhere in the world, pulling off normal functions like unlocking the device and taking a screenshot.

The new ‘Hook’ malware is the stuff of nightmares for Android users, boasting the power to pillage mobile files, ransack WhatsApp accounts or even send money from a user’s phone,” Marijus Briedis, a cybersecurity expert at NordVPN, told ConsumerAffairs.

And Hook is one bad dude, too. Briedis said that it’s a cut above most of the weaponry in a hacker’s arsenal. Because it’s so good at what it does, bad actors are paying as much as $7,000 a month to subscribe to the software so they can make some serious bank of their own from the comfort of their basement.

When a hacker subscribes to Hook, they also get access to a special console that uses the same virtual network technology many workers have to access their office computer from home.

“This means your device can be taken over even while you’re holding it,” Briedis said.

How you can stop Hook from getting its claws on your phone

Defending against Hook ruining your life is doable, but you have to pay attention. Briedis said that it’s important for Android users to keep their system software updated regularly – an easy task on most Android smartphones.

All you have to do to check for system updates is go to Settings and if an update is available, there should be a prompt to download and install it.

For those of you who have newer Android phones, system updates should happen automatically. But, for those with older phones, you should be aware that malware loves older operating systems that don’t know how to fend off ilk like Hook.

Briedis’ recommendation for those users is to make sure to only download banking apps from an official marketplace like the Google Play Store and check how often it has been reviewed and downloaded before you install it yourself. 

What state do you think is the most vulnerable when it comes to people’s digital life?

After a year in which the FBI’s Internet Crime Complaint Center received close to 3 million complaints of cyber attacks and malicious cyber activity, Secure Data Recovery polled Americans from all 50 states to find out which residents are most vulnerable to digital threats. What did their analysts discover?

The South rocks, so does R$k35*5ErFhX, and the battle of the sexes is a draw 

On a positive note, the majority of Americans take some steps to protect their devices from hacking. Of those who stay digitally safe, 71% do so by keeping their phone number, email address, and home address off social media. 

People in Kentucky may want to pour themselves a glass of bourbon and toast the fact that the Bluegrass State is the most digitally secure of all 50 – with 54% of Kentuckians checking every permission related to a new app when they download one to their phone, and only 26% of its residents listing their address, email, or phone number on social media.

In fact, Southern states smoked all other regions in the digitally-secure rankings – holding down nine slots in the over-50% range. Louisiana was number two, Tennessee number 5, Mississippi number six, North Carolina number seven, and South Carolina number 10.

If you’re looking for a battle of the sexes, women are more digitally vulnerable than men, overall. However, women get a victory when it comes to backups because they back up their information more frequently than men. Staying with the backup category, just a little more than half of those surveyed back up their devices automatically on a regular basis, and even fewer (39%) keep a copy on the cloud. 

The saddest takeaway is that 79% of Americans leave themselves open to being hacked because they don't use auto-generated passwords, preferring to stay with easy-to-crack things like "Memaw!" which can be hacked inside of 2 seconds. Yes, what we're talking about are the long, multi-character type like “R$k35*5ErFhX” that a good password manager would create.

If you live in the Empire State, sorry, but upon hearing the news, hackers everywhere must be blasting “I Love New York” on their stereos. According to the survey, New York ranks as the most digitally vulnerable. One in three have clicked on suspicious ads, links, or attachments in the past year.

We have our work cut out for us

Yevgeniy Reznik, the Laboratory Operations Manager at Secure Data Recovery Services, said that Americans have five things they need to improve if they want to stay hack-free and digitally secure:

Keep your private information off of social media: That means your email, your phone number, and the address where you live.

Don’t click on anything suspicious: That’s ANYTHING! If you don’t recognize the name, the email address, don’t know why someone is sending you an attachment, or there’s a link in any text message or email from anyone you don’t personally know and trust, keep your hands to yourself.

Install antivirus software on your computer: If your computer gets hit with a virus attack, be prepared to write a check for anywhere from $100-$300 to repair it. Comparatively, dropping $25-$50 a year on antivirus protection seems like a much better investment.

Use unique passwords for each account: That means one for Adobe, another for YouTube, another one for Google, etc.

Keep two or more copies of important information: A backup of your backup? If you’ve ever lost important information to a hard drive crash, you know the pain, so yes, double down.

New research from cybersecurity company NordVPN shows that cyber scammers have their sights on the four in five Americans who might take part in Black Friday/Cyber Monday – or what Nord’s Chief Technology Officer Marijus Briedis called a “honeypot for scammers.”

Their favorite targets are people who’ll gladly exchange some private, personal information in return for a big discount or freebie. As they say, forewarned is forearmed, so let’s get on with what the "baddest of the bunch" is and how you can protect yourself.

“Please to meet you – won’t you guess my name?

Rob Shavell, the CEO of DeleteMe, an online privacy company that removes a person's data from Goolge, and security analysts from RedFlagDeals say that the hottest scam this shopping season might just be the “Fake Seller Scam” which involves scammers quickly producing storefronts in 3rd party marketplaces like Amazon and Walmart where they then:

• List legitimate popular brand name products

• Offer these products at the cheapest price on the platform

• Are algorithmically promoted by Amazon (or other retailers) for their great price

• Support their listings with fake, positive reviews

• Provide fake order tracking details to bide time to scam more people before complaints start pouring in

• Offer one-week free shipping - more time to dupe customers before negative reviews come in

• Present themselves as a real seller by lining their storefronts with hundreds of other products

“When you buy, you either don't receive the product, receive the wrong product, or receive a broken/used/unusable version of the product, with no real means for recourse, refunds, or support from the retailer themself,” Kate Musgrove, director of RedFlagDeals told ConsumerAffairs.

Amazon is doing what it can to throw these bad actors over the cliff, but how can the consumer spot this scam? The big clues and most common factors appear to be:

• A low, low price. Products are typically the cheapest you can find and have anywhere from a 20-80% discount. If you are shocked by the price, then it's a good indicator that you should do some double-checking.

• Is this a real brand? Start by checking the "ships from/sold by" information under the "Buy Buttons", where you will see the brand listed. If the brand listed isn't the brand of the product, a known, popular 3rd-party brand, or Amazon itself, you should do some investigating. Start by clicking on the 3rd party's Amazon Seller Page to see if they seem like a real business. If nothing is listed, the seller's name seems fake and contains long, non-sensible names or strings of random numbers, it could be a sign of a scammer.

• Is this brand established? On the seller's "About Page" (example), you can see recent feedback, the sentiment of that feedback, and how it has trended over time. A good rule of thumb is that if you plan to buy from 3rd party sellers, you want to buy from the ones with positive feedback ratios and who have lots of feedback data going back for more than a year.

How to protect yourself

Shavell says the single thing that a consumer can do to keep away from a fake merchant is to stick to trusted vendors.

“Fraud artists create fake companies promoting high-discount offers during high-volume sales periods; if you’re going to do comparison shopping looking for the best price, do so among retailers with whom you already have accounts and have successfully done business with in the past,” he told ConsumerAffairs.

The second of Shavell's smart moves is to stick to payment methods that have consumer protection features and the ability to execute chargebacks. He said that if consumers use a credit card with limits, it usually provides better security features than mobile payments, or is faster to respond to fraud claims than services like Paypal, which he said can be slow and difficult to document after the fact.

His third piece of advice is to consider using a “card masking service” to protect your account information.

“Particularly when doing business with new vendors, it may be safer to use a one-time payment service that prevents the vendor from retaining your account information beyond the individual transaction, and protects you in the event they experience any data breach,” Shavell concluded.

Common Spirit Health is one of the latest major hospital groups to grapple with cybersecurity issues that not only affect operations but could compromise patient privacy.

In October the hospital system reported it was the victim of a ransomware attack, interrupting operations at the Chicago-based system that operates 140 hospitals and more than 1,500 care sites in 21 states.

The cybersecurity experts we consulted said attacks on hospitals are likely to increase, posing risks to patient privacy.

Matt Mullins, senior security researcher at Cybrary, a cybersecurity training firm, says hospital networks are significantly more vulnerable than standard networks for the simple reason that healthcare has a unique focus compared to other industries. That’s because the data has to always be readily accessible for practitioners.

Not only is it easier for hackers to access that data, Mullins says the data is highly prized information.

“It can be used for blackmail or phishing, and it can be used for fraud,” Mullins told ConsumerAffairs. “This data is more useful in that it is easier to access and it allows for identity theft. Identity theft is much harder to ‘shut down’ than it is to roll a new credit card number or account!”

Valuable data

In a cyber attack, Frank Ricotta, CEO & founder at BurstIQ, a health data management company, says hackers go for patients’ personally identifiable information (PII) and personal health information (PHI) because it’s considered more valuable.

“The value of health data sold on the dark web can get upwards of 500 times more than other personal information such as Social Security numbers or credit cards,” Ricotta told us. “This data can be used to file false medical claims, get prescriptions and medical treatment, and more. And unlike a credit card breach that can be identified and resolved quickly, PII and PHI can be used long after a breach has been detected and used repeatedly.”

Irina Tsukerman, president of  Scarab Rising, Inc., a media and security strategic advisory group, says networks aren’t the only area of hospital technology vulnerable to hackers. That vulnerability poses the risk of more than just compromised data.

“A recent study found that half of internet-connected devices in hospitals are vulnerable to exploitation, with IV pumps - a direct risk to patients - being a particular vulnerability,” Tsukerman said. “The Cynerio report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform. This makes hospital one of the most desirable targets for hackers.”

Hospitals spend less on security

Sanjay Raja, vice president of Product Marketing and Solutions at Gurucul, a security analytics firm, says economic factors also play a role. He says hospitals continue to bear the financial burden of treating COVID-19 patients which reduces other, more profitable services.

“This has led to a shortfall in revenues from other services causing constrained budgets, a lack of resources, and overburdened security teams,” Raja said. “Threat actors have purposefully targeted healthcare providers knowing how overwhelmed IT and security staff already are and how catastrophic ransomware or other disruption can be in the treatment of patients.”

Is there anything hospitals can do to better protect their networks from attack? Raja says perimeter defenses and patches have proved “fairly useless” against a hacker determined to get inside. 

He recommends an accurate and more automated threat detection, investigation, and response solution that provides earlier and more accurate threat detection. 

Mullins says he believes that, up until now, hospitals haven’t approached cybersecurity with enough “seriousness.”

Tsukerman says hospitals need to train all personnel in "best industry" practices in cybersecurity and enforce and reevaluate recommended security protocols, which should include physical maintenance and strengthening of networks.

As part of its review process on products that connect a person’s privacy and security online and with other companies, a new report from the Mozilla Foundation takes aim at apps that it says are “super creepy” when it comes to users’ privacy.

The report focuses its attention on mental health and prayer apps, saying their privacy standards are worse than any other product category.

The foundation’s analysts claim some of those apps routinely share data, permit weak passwords, bombard powerless users with personalized ads, and live off the premise of hazy and unintelligible privacy policies. 

“They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,” said Jen Caltrider, Mozilla’s *Privacy Not Included lead.

“Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.”

The study looked at 32 mental health and prayer apps and anointed all but four with a *Privacy Not Included warning label and said most were “exceptionally creepy.” One of those 28 offenders is the faith-based app, Pray.com.

The app serves a number of functions, including as a social media platform for religious communities. Churches and other religious organizations use the platform to engage in discussions, Livestream services, and solicit and receive donations.

Individuals using the app may participate in “prayer communities” where users can ask for and answer prayer requests.

It sounds innocent enough but the question may arise over how this highly personal data is handled. ThreatPost reported that in late 2020, data from Pray.com leaked private data for up to 10 million people.

Included in that data leak were lists of a church’s attendees containing information for each churchgoer such as names, home and email addresses, phone numbers, and marital status. In addition, ThreatPost reported that the information exposed in a public cloud bucket also included church-donation information, photos, and users’ contact lists

Pray for your privacy

On a recent Freakonomics Radio podcast, author Stephen Dubner investigated the landscape of faith-based apps, of which Pray.com is only a part. Dubner expressed concern that these apps were sharing user data with Facebook. The Mozilla Foundation report said that is a real concern.

“If you use Pray.com, you'd better pray for your privacy. Because Pray.com is absolutely awful when it comes to their users' privacy and security,” the Mozilla analysts wrote. 

The primary stress point for the analysts was the figurative ton of personal information that’s spun into an asset and a healthy revenue stream. 

“Pray.com then says they can use all this data to target you with ads, share with third parties to target you with ads and share with other ‘faith-based organizations’ so they can target you too,” the report said.

“We don't mean to be, well, mean, but Pray.com really feels like it might be a data harvesting business targeting Christians for purposes that go way way way beyond helping them on their prayer journey. … It all feels kinda icky to us.” 

Mozilla Foundation’s advice? “Find another prayer app.”

ConsumerAffairs reached out to Pray.com and Facebook for comment but did not receive answers to the questions we posed regarding privacy policies, personal data that is being shared, and for what purposes personal data is shared.

Whatever the app, you still need to be careful

Are there prayer apps that the Foundation spared from being labeled “*Privacy Not Included”? Yes, one. Among those listed, the only one ConsumerAffairs found that met that criteria and readers did not qualify as “Super Creepy” was the “Hallow” app.

To Hallow’s credit, the researchers said the company was the only one who replied to all its questions and even updated its password requirement to require users to log in with a strong password when the Foundation noted that the app allowed the use of a relatively weak password like “11111.”

Alongside Pray.com, others in the category not meeting the criteria by both researchers and readers were the King James Bible Daily Verse and Audio and Abide. There was one app – Glorify – that was a split decision. Foundation researchers gave it a thumbs-up, but readers pegged it as “Super Creepy.”

So, what’s someone who wants to engage with a prayer app to do? If you do decide to find another, be careful, Harold Li, vice president at ExpressVPN, told ConsumerAffairs. 

“This is not the first time that faith-based apps are caught sharing data with third parties. Last year, ExpressVPN conducted extensive research on location trackers embedded in 450 social, messaging, and faith-based apps to measure the extent to which they intrude on location privacy for individuals around the world,” Li said, highlighting the fact that those investigated apps were downloaded by users 1.7 billion times in total.

The reports of phishing attacks over the holidays are starting to grow. The new wrinkle for hackers it seems is the use of artificial intelligence (AI) to improve a hacker’s ability to gather information and target a specific victim. 

Most of those targeted victims are online shoppers who hackers have discovered have gotten lackadaisical in what they click on and are clicking wily-nily on anything and everything. That’s especially true in emails.

Cybercreeps are sending out offers by the ton, bombarding users' inboxes with links to deep discounts knowing that there are enough people who’ll click on links and hand over credentials.  

“E-shopping continues to be a prime target because people are pre-programmed to click on links," Phishfirewall CEO, Joshua Crumbaugh told ConsumerAffairs. "Online deals bombard users' inboxes with links to deep discounts, and this adds fuel to the fire, creating the perfect scenario to get people to click on links and hand over credentials.

“With scams getting increasingly sophisticated, it's hard to say precisely what tactics the bad guys will use, but they are only after just a few things: Stealing your account credentials, your identity/financial information, or infecting your computer with malware/ransomware.”

A new PlayStation 5 or Dyson product on your wishlist?

Crumbaugh said that his company found that phishing attacks centered on hot but scarce items, and using those as bait are paying off for hackers.

“Fake discounts on hard-to-find items such as PS5's and Dyson hair products with the goal of stealing credentials are growing," he said. "We’ve also seen fake purchase alerts that attempt to infect your computer with ransomware and fake Amazon security alerts with the intent to steal your credentials.”

How to keep the phishers away

If you think that it’s Google’s or Microsoft's or Apple’s job to keep phishing emails out of your inbox, you might want to reconsider thinking that.

Yes, Gmail or Hotmail or Apple iCloud Mail try to keep phishing emails from getting in with their email spam filters, but scammers are cunning enough to find ways around those filters.

The Federal Trade Commission (FTC) warns consumers that it would be wise to add extra layers of protection to protect themselves from phishing attacks.

One of the agency's strongest suggestion is to protect your cell phone by setting software to update automatically. These updates could give you critical protection against security threats.

Here's how to do that on an iPhone and how to do it on an Android device. ​

And that password of yours? How long do you think it would take a hacker to crack it?

Another smart move is getting a password manager. Because if you do...

1. It allows you to use harder-to-crack passwords. (If you want to see how weak or strong your password is, check it here)
2. You don’t have to remember all of them. 
3. Plus -- and it's huge plus -- you can have a different password for every site.

That last point is a move that Dustin Heywood, a password specialist at IBM X-Force Red, says maximizes a person's password security.

"The reason passwords should not be the same between sites is that systems get breached, and then attackers [can] reuse passwords or even get passwords out of plaintext through phishing," Heywood told ConsumerAffairs. "This makes a password manager critical."

Several more major corporations have agreed to class action settlements, handing out millions of dollars. But affected consumers have no time to waste as the deadlines for filing a claim expire this month.

For starters, Humana has agreed to settle a lawsuit brought over its 2020 data breach. Settlement documents did not disclose how much the health benefits provider has agreed to pay. It affects those who were notified by Humana that their personal health information was compromised when hackers broke into the company’s network.

Hackers got access to sensitive health information as well as personal identifying information, such as Social Security Numbers. The deadline for filing a claim is Nov. 15.

Two Geico settlements

Geico is settling two class actions this month. In the first, the auto insurance company is paying $19.1 million to resolve claims that it did not pay sales tax and other fees when paying California customers who suffered a total loss.

The settlement covers California policyholders who did not get compensated for the tax and fees for total loss claims submitted between June 27, 2015, and Aug. 27, 2020. The deadline to file a claim in the settlement is Nov. 11. 

Geico has also agreed to pay an undisclosed amount to resolve a class action suit that it underpaid healthcare providers in Florida for treating covered patients. That claim deadline is Nov. 28.

Consumers who purchased the drug Remicade (infliximab) between April 5, 2016, and Feb. 28, 2022 may be eligible for a cash settlement from Johnson & Johnson and its subsidiary Janssen. The companies have agreed to a combined $25 million payment to settle claims they violated antitrust laws by suppressing generic competitors.

The suit claimed that action resulted in higher prices for Remicade, a prescription medication to treat Chrone’s disease. To be eligible for compensation, consumers must submit claim forms by Nov. 30.

Baby formula misinformation

Amidst an ongoing baby formula shortage, PBM Nutritionals has agreed pay $2 million to settle a class action lawsuit that claimed the company’s baby formula product doesn’t produce the advertised number of servings.

Consumers who purchased Well Beginnings, Meijer Baby, Little Journey, Wesley Farms, Burt’s Bees Baby, Berkley Jensen, Parent’s Choice, Earth’s Best Organic, Comforts, Up & Up, Babies “R” Us, Member’s Mark or Bobbie Baby brand baby formula between Jan. 1, 2017, and July 21, 2022 may be eligible for compensation.

Claims in that case must be filed by Nov. 30.

In ConsumerAffairs latest round-up of class action settlement announcements, we found another pile of cash that companies are paying consumers to settle claims brought against them in a variety of class action lawsuits. 

At TopClassActions, we found all the details of the settlement and how to apply. 

General Electric (GE): In early 2020, GE confessed that its current and former employees may have had their information stolen through a data breach of one of GE’s providers. The breach reportedly compromised sensitive information such as names, addresses, Social Security numbers, driver’s license information, bank account numbers, passport data, and birth dates.

As the terms of the settlement are spelled out, class members can receive reimbursement for lost time and out-of-pocket expenses. Depending on the time lost, money spent on things like credit freezes, etc., compensation could range from $18 to $3,500.

Applicants have until Dec 22, 2022 to file. Full details and enrollment are available on this website.

Toyota/Lexus: If you’re one of the nearly 3 million former or current Toyota or Lexus owners whose vehicle was recalled due to a faulty Denso fuel pump, the parties have reached a settlement and are ready for those affected by the situation to file for damages.

Under the terms of the settlement, class members can receive reimbursement for out-of-pocket repairs, an extended warranty, a customer support program, and loaner/towing coverage.

The only box left to check is the one for final approval on the settlement and that’s scheduled for Dec. 14, 2022. Then, the deadline to seek reimbursement is 90 days after the final judgment, estimated to be March 14, 2023. 

To find out more about the settlement and application process, go to this website or phone 1-833-512-2318.

Automotive Parts that affected a variety of cars: The latest round of settlement distributions that’s part of a massive $1.2 billion settlement resolving antitrust allegations is ready to go.

The settlement will benefit lots of consumers – everyone from A to V (Acura owners to Volvo owners_ – who purchased or leased certain new vehicles in the U.S. between 2002 and 2018 – or who paid to replace one or more qualifying vehicle parts (many of them being electric or hydraulic braking systems). A full list of eligible vehicles and applicable time periods can be found on the settlement website.

Smashburger: Smashburger fans should check out the sizzle the chain has agreed to in settling claims that it falsely advertised its hamburgers as containing “double the beef.” And the good thing is that consumers do not need proof of purchase to benefit from the settlement.

The settlement benefits consumers who purchased Triple Double hamburgers, Bacon Triple Double hamburgers, French Onion Triple Double hamburgers and/or Pub Triple Double hamburgers from Smashburger anytime between July 1, 2017, and May 31, 2019.

It’s not like class members will get a giant windfall like burgers for life, but they will receive a $4 cash payment per purchased product for a maximum payment of up to $20 per household. If they’d rather get a voucher instead, the people who opt into vouchers will receive up to 10 vouchers with each voucher having a $2 cash value. 

Go here to find out more about the settlement and to apply as a class member. Applicants have until late January 2023 to get their application in.

Anyone who is doing their holiday shopping early, heads up! Two new studies show there may be trouble on the way.

One says that one in seven experience package theft; another says that shipping scams are mounting up, adding another layer of woe.

In C+R Research’s latest annual package theft report, more than a quarter of Americans said they’re concerned that they could lose their gifts to porch pirates. And those thefts can be costly, too, with the average value of stolen packages ringing up at $112.30.

Where you live apparently matters to thieves. According to C+R, thieves may be zip code snobs. The researchers said that about half (49%) of those who’ve had a package stolen live in the suburbs, 39% are city dwellers, and 12% live in rural areas.

Delivery services are on alert, too

Unfortunately for delivery services, they’ve got two problems. One is that nearly half of those surveyed don’t think retailers and delivery companies do enough to prevent package theft. The other is that scammers seem to be loving delivery scams like there’s no tomorrow.

According to its latest Brand Phishing Report, Check Point Research (CPR) says hackers are imitating one major shipper and one major retailer in attempts to lure people into giving up personal data. 

DHL places at the top of the list for most impersonated, accounting for 22% of all phishing attempts worldwide. DHL also has a make-believe affiliate named “BHL” that some scammers are using to leverage cybertheft, too.

Another major firm scammers are impersonating is Walmart, which has 5% of all phishing attacks globally.

How consumers can protect themselves and their packages

To beat porch pirates at their game the C+R researchers said there are several things consumers can do to protect their online purchases.

“If you know a package is expected to be delivered – be diligent in collecting it as soon as possible to lessen the opportunity for porch pirates to steal it,” the researchers suggested.

“That's why most people (60%) keep a close eye on delivery tracking, and 43% sign up for delivery alerts.”

Some consumers stay home when they know a package is on the way, but not everyone can afford to do that. In those situations, the researchers suggest more preventative measures, such as installing a doorbell camera, sending the package to their workplace or a relative’s home, or opting to pick up their online order in the store.

When it comes to packages being delivered, many – if not most – consumers simply don’t know if DHL, UPS, the Postal Service, Amazon, or FedEX is in charge of the delivery.

“DHL is the brand most likely to be imitated, it’s crucial that anyone expecting a delivery goes straight to the official website to check progress and/or notifications,” Omer Dembinsky, Data Research Group Manager at Check Point said in an email to ConsumerAffairs. 

“Do not trust any emails, particularly those asking for information to be shared. In [the latest quarterly analysis], we saw a dramatic reduction in the number of phishing attempts related to LinkedIn, which reminds us that cybercriminals will often switch their tactics to increase their chances of success.”

If your phone is acting a little sluggish, it may be because spyware has wormed its way into your phone’s system -- tracking every click you make, every step you take, and anything and everything you do. And the situation could get worse before it gets better, too. 

Like the rest of the world, malware took 2020 off, but now it’s back with a vengeance. In 2021, Malwarebytes detected 77% more malicious software than in 2020. The study said that malware threats made on consumers last year eclipsed 150 million. 

Consumers have their work cut out for them

Before you go pointing fingers at Google or Apple or your carrier, they’re doing all they can. For its part, Apple unleashed Lockdown Mode to protect iPhone owners.

Google’s been busy protecting its Play Store from Potentially Harmful Applications (PHAs), too. It’s gotten the number of PHAs down to less than 1% of the total apps installed, but spyware accounts for 48% of those. 

Still, when you look at how many apps installed from Google Play, that sub-1% still adds up to the possibility that hundreds of millions of spyware-laden apps are winding up on people’s phones.

How do you know if spyware is on your phone? Cybersecurity experts from VPNOverview have collected the top five warning signs that could indicate that hackers are using your phone to spy on you. The study also details how you can prevent and remove spyware that hackers may have installed onto your phone.  

The Top 5 signs you’re being spied on

1. Slow performance 

The number one indication that spyware is on your phone is that your device is constantly slow – slow because it’s running rampant in the background uploading your personal data, your photos, your documents, and other files to an external server.

The VPNOverview experts say you can make sure this isn’t happening by checking your phone for any unfamiliar apps and scanning any hidden apps using an antivirus program. If you find an app that seems suspicious, deleting it may improve the performance of your device.

“Whilst some spyware is hidden by hackers, some spyware programs will appear amongst your apps," the VPNConnect cybersecurity team told ConsumerAffairs.

"These apps may show up as parental control apps intended to be used to monitor a child’s cyber safety, however, they could have been installed by a jealous ex-partner to spy on you," 

What are some apps that you should look for? The analysts singled out these: mSpy, Spyera, Flexispy, Umobix, Ikey Monitor, and Clevguard.

2. Random reboots 

Another tell-tale sign that spyware is on the loose is that your phone reboots without your authorization or because it overheated or is doing a typical system update. 

“This can indicate that someone has remote, administrator-level access to your phone. The hacker can do whatever they want with your device if this is the case,” VPNConnect analysts said. “To rule out the presence of spyware, you can update your phone’s operating system, and delete any malfunctioning apps. If neither of these solutions solves the random reboots, you may have spyware on your phone.”

3. Strange text messages 

With robocalls being throttled thanks to new rules from the Federal Communications Commission (FCC), smishing has taken its place and, with that, hackers are employing text messages to take a screenshot, detect your location or even gain control of your phone. 

“You should be not only vigilant of incoming texts but also outgoing texts as a hacker can send text messages from your phone to communicate with their own server," VPNConnect warned. 

"Any message that looks unfamiliar, sounds like gibberish, or appears outright strange should be ignored. This is especially the case for unfamiliar texts containing links; these links can allow a hacker access to your phone if clicked on.” 

4. Overheating 

Summer is pretty much gone so a phone being overheated naturally from the elements should be dwindling. However, if your phone is still overheating, it’s possible that the heat is coming from a malicious app running in the background, especially if the overheating occurs when the phone is on standby. 

How can you make sure if it’s spyware or not? First, make sure that your phone doesn’t have a hardware issue or check that the apps you have installed are not large resource consumers.

To do that, the VPNConnect folks suggest going into your phone’s settings and checking your app list to see which apps use the most resources (apps are usually presented in order of most resource use, by the way).

“Some apps will have legitimate reasons for taking up energy on your phone, but any that use more than they should (may) be the culprit and should be deleted,” the analysts said.

5. Unusually high data usage 

If you’re not a big data hog – like watching a ton of videos – but still see your data usage higher than you think it should be, it may be a cause for concern. 

“A hacker’s primary goal is to harvest your data, to sell it to the black market, or use it to blackmail you. To gather this information, a hacker will remotely access your phone and transfer your files to their server, which requires data usage on your end,” VPNConnect privacy pros said.

“Therefore, if your cellular data usage seems unusually high, this could indicate that something suspicious is going on with your phone. It is a good idea to keep track of your monthly data use to identify any unexpected spikes.”

Samsung reports that it’s suffered another data breach – its second this year and one that exposed the names of customers and their demographic information like birth dates.

On Friday, the company announced that the breach happened in late July when an unauthorized third party acquired information from some of Samsung’s U.S. systems. When the company completed its investigation the first week of August, the probe revealed that personal information of certain customers was affected. 

“We have taken actions to secure the affected systems, and have engaged a leading outside cybersecurity firm and are coordinating with law enforcement,” the company said in its notice to customers about the incident.

Should you be worried?

ConsumerAffairs reached out to Samsung asking how many personal information records were involved but the company didn’t offer an answer in its response. Still, with nearly a billion consumers worldwide using a Samsung phone and another billion with a Samsung TV, the situation could be concerning for a great number of consumers.

MakeUseOf’s David Rutland says that on top of what Samsung “officially” revealed as to what data was exposed, contact details “likely” include home address, phone number, and email. Rutland thinks that it could go even deeper because the additional information Sansung collects during product registration includes gender, geolocation data, Samsung Account profile ID, username, and more. 

“Even just your email address can be valuable to criminals,” he said. “Samsung's half-hearted reassurance may console some customers that the criminals aren't using their credit card details to, for instance, buy untraceable cryptocurrency. However, the amount of information which the company admits may have been taken is staggering, and not something so easily passed off as immaterial.”

Steps that should be taken

Some cybersecurity experts warn the world has reached a dangerous crossroads where companies want as much personal data as they can amass and cybercriminals want as much as they can steal. 

In an email to ConsumerAffairs, Scamicide's Steven Weisman says that the lesson every consumer needs to learn is to limit just how much private information they give to companies when they sign up for an account or register a product.

“For example, your doctor doesn't need your Social Security number for his or her records,” Weisman said.  

Until this issue is resolved completely, anyone who has any sort of Samsung device might be wise to freeze their credit at the major credit reporting agencies – Experian, Equifax, and TransUnion. If whoever laid hands on the Samsung data wants to try and leverage someone’s personal information, they’ll be blocked from credit-related records. If freezing your credit report sounds like a hassle, it’s really not. 

“This is offered through all three major credit bureaus and certain software and can conveniently be switched on and off in order to allow approved third-parties to access reports when needed,” Hari Ravichandran, founder and CEO at Aura, an online privacy safety service, told ConsumerAffairs in the recent “Pandemic to Scamdemic” report.

“If you suspect that your personal information has been compromised in a data breach or otherwise, seriously consider freezing your credit in order to prevent bad actors from opening accounts or taking out loans in your name,” Ravichandran said.

The Federal Trade Commission (FTC) has served notice that there are limits to how far a person can be tracked. In a new lawsuit against data broker Kochava Inc. the agency claims that Kochava sold geolocation data from “hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” 

And sensitive it is. The FTC said that Kochava’s data has the potential to reveal everything from someone’s visit to reproductive health clinics to places of worship, and even deeply personal facilities like homeless and domestic violence shelters, and addiction recovery locations. 

By selling data that tracks people, the FTC considers that Kochava is enabling others to identify individuals and exposing them to threats of stigma, stalking, discrimination, job loss, and even physical violence. 

“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”

The FTC’s lawsuit seeks to halt Kochava’s sale of sensitive geolocation data and require the company to delete the sensitive geolocation information it has collected. 

While Kochava may not be a household name, it’s a considerable force when it comes to data. The company claims it has more than 4,500 “partner integrations” and its clients are a who’s who of consumer-focused companies including Airbnb, Kroger, McDonald’s, Disney, John Hancock, Chick-fil-A, and CBS.

ConsumerAffairs reached out to Kochava, but did not receive an immediate response.

FTC wants this type of collection stopped now

The Kochava lawsuit may be the tip of the iceberg when it comes to data collection. The FTC’s not showing its hand, but recently it went on record as saying that almost everything a consumer touches and places they go can be collected. 

“Smartphones, connected cars, wearable fitness trackers, ‘smart home’ products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users,” the agency said. 

“These data points may pose an incalculable risk to personal privacy. Now consider the unprecedented intrusion when these connected devices and technology companies collect that data, combine it, and sell or monetize it. This isn’t the stuff of dystopian fiction. It’s a question consumers are asking right now.”

How people can minimize their exposure to location tracking

Location tracking is important to not just Kochava, but lots of agencies that collect data and then offer it to advertisers and vendors who want to provide a better user experience or feed information that might be of more interest to the user, says Jon Clay, vice president of Threat Intelligence at Trend Micro. 

“While this may be a good thing as it delivers relevant information to the user as they change locations or visit areas where they've never been before, there is a potential for this to be abused by malicious actors,” Clay told ConsumerAffairs. “From scammers to criminals to worse, if this data gets into the wrong hands, these people could target the user."

Clay says that where the question of risk comes up is the crossroads of whether the benefits outweigh the potential harm that could occur.

“The FTC suing an organization that sells this data to others is a potential game changer as it should cause other data processors to rethink their business practices and ability to secure their customer data,” he said.

If consumers are lucky, Clay said that they’re likely to see regulations start to be created that help consumers be more in charge of their data instead of "the opposite as it is now.” Until then, what can someone do? Clay offered these suggestions on how people can help manage their data now:

• Turn off location tracking on your mobile devices. On an iPhone, go to Settings > Privacy, then select Location Services. Select an app, then turn Precise Location on or off. On an Android device, open your phone's Settings app. Under "Personal," tap Location access. At the top of the screen, turn Access to my location on or off.

• Look to use browsers that don't gather your data or limit what your browser can track

• Opt out of ad tracking and opt out of ads altogether. Here’s one way to do that.

• Control what permissions you give apps on your mobile devices. Here’s how to do that on an Android device and how to do it on an Apple device.

• Install a modern security app that can detect scams or threats in email, texts, and voice. Clay said his company's free Trend Micro Check tool can do that, as well as identify fraud and misinformation.

• Regularly check your online accounts for suspicious activity. 

While vigilance with cybersecurity is always of the utmost importance for consumers, experts are now urging Apple users to update their devices to run the latest version of the operating systems. This includes iPhone model 6S and later, iPod touch 7th generation, iPad Air 2 and later, iPad 5th generation and later, all of the iPad Pros, and the iPad mini 4 and later. 

The company released security updates for the devices last week after discovering that they may be susceptible to two different security flaws that could be abused by hackers. One vulnerability was to the kernel, which is the hub of Apple’s operating systems, and the other was to WebKit, which works to run several apps, including Safari. 

The biggest risk is a hacker fully invading the device. Security experts explained that because these security flaws are based in the operating systems of the devices, it makes it easy for hackers to access users’ personal data. Additionally, because there are two vulnerabilities, it makes it easier for hackers to bypass different security measures and get into a device. 

Though many Apple devices are set to update automatically, the updates aren’t always completed immediately, and may not begin until a device is plugged in. This makes it all the more important for consumers to check for software updates and manually update their devices to the latest operating software as soon as possible. 

Another Mac security flaw

This news comes on the heels of another recent story about vulnerabilities many Mac users were facing with the Zoom app. 

Patrick Wardle, founder of the nonprofit organization Objective-See, discovered a flaw in Zoom’s automatic update tool that could allow hackers to infiltrate Mac computers. He explained that when this tool runs an update, it looks for a signing certificate – or a unique digital verification code – that matches Zoom. 

Since automatic updates do not require a password to be installed, hackers could create packages that mimic Zoom’s signing certificate to install malicious files or programs onto users’ Macs. This could allow them to completely take over the device to delete files, steal passwords, or alter documents. 

Similar to this most recent notice to update Apple devices, Mac users specifically were encouraged to update Zoom to its most recent version to protect themselves from hackers.

Zoom rapidly gained popularity during the COVID-19 pandemic as more consumers shifted to remote work. However, users have faced several security and privacy issues over the years in connection to the service. Now, one researcher says a new bug is putting Mac users at risk. 

Patrick Wardle, founder of the nonprofit organization Objective-See, stated at a recent DefCon event that a flaw in Zoom’s automatic update tool could allow hackers to infiltrate Mac computers. He explained that when this tool runs an update, it looks for a signing certificate – or a unique digital verification code – that matches Zoom. 

Since automatic updates do not require a password to be installed, Wardle says hackers could create packages that mimic Zoom’s signing certificate to install malicious files or programs onto users’ Macs. This could allow them to completely take over the device to delete files, steal passwords, or alter documents. 

Get the latest version of Zoom

Wardle initially told Zoom about his findings back in December, which prompted the company to create a fix for the issue. Unfortunately, that fix reportedly included a bug that still allowed the automatic updater vulnerability to be effective. 

Following Wardle’s DefCon presentation, Zoom issued a new patch under update 5.11.5 (9788). Mac users should download this update immediately to protect themselves from hackers.

Twitter has confirmed that 5.4 million accounts were plundered in a recent data breach, with the hackers hauling away personal data such as physical locations, profile photos, email addresses, and phone numbers associated with those account profiles. 

The hackers are already trying to make money off their theft. Bleeping Computer reports that the data the hackers tapped into is being offered for close to $30,000. Two different threat actors reportedly purchased the data for less than the original selling price, and all that information will likely be released for free in the future.

The attack came about as the result of a zero-day exploit – a maneuver in which hackers target a software vulnerability that software vendors or antivirus vendors are not aware of at launch. AndroidPolice reports that the Twitter hackers used a vulnerability that allowed anyone to query a phone number or email to check on an active Twitter account and then obtain the account information. 

Twitter responds

When it comes to zero-day exploits, Twitter is not alone. Over the last few years, Google, Apple, and Microsoft have all been hit by them. After being fined $150 million for failing to protect consumer data already this year, Twitter is trying its best to get ahead of this situation. The company said it deeply regrets the situation and fully understands the risk this poses to its users.

While the social media company is powerless to fix this current situation, it does have some recommendations that users can use to protect their personal data in the future. The first thing it suggests is making sure a Twitter account does not have a publicly known phone number or email address attached to it.

Even though passwords weren’t stolen, Twitter also strongly suggests enabling two-factor authentication by using authentication apps or hardware security keys. This can help protect a user's account if someone does steal their password.

The company says it’s also offering users access to its Office of Data Protection, where they can inquire about the safety of their account or ask questions about how it protects their personal information. Anyone who is interested in gaining access to that information can contact Twitter through this form.

The safety of Virtual Private Networks (VPN) – which are internet tools that prevent users from being tracked or interfered with – has come under scrutiny from two members of Congress.

In a letter to Federal Trade Commission (FTC) Chair Lina Khan, Congresswoman Anna Eshoo (D-CA) and Senator Ron Wyden (D-OR) are trying to persuade the agency to address deceptive practices in the VPN industry. Specifically, they point to VPN practices related to people attempting to mask their digital fingerprints in the wake of the Supreme Court’s decision to overturn Roe v. Wade.

In their letter, Eshoo and Wyden said some VPN providers are not only making false and misleading claims about their services, but they are also negating their promise of anonymity by selling personal data and providing user activity logs to law enforcement.

Consumers should do their VPN homework

To show that VPN providers are being less-than-honorable in their pitches to consumers, the lawmakers cited a study that found 75% of leading VPN providers misrepresented their products and technology or made exaggerated claims about the protection they provide users.

“It’s extremely difficult for someone to decipher which VPN service to trust, especially for those in crisis situations,” Eshoo and Wyden wrote. “There are hundreds, if not thousands, of VPN services available to download, yet there is a lack of practical tools or independent research to audit VPN providers’ security claims.”

The lawmakers urge consumers not to jump into a VPN subscription without researching the services first. Reports indicate that two out of three free VPN users have experienced technical issues on their networks. In some cases, VPN providers have claimed that they have a right to share users' data with a wide array of third parties.

“The Password manager privacy policy, as written and provided at install, reads in such a way that no one in their right mind would use Kaspersky software,” Brian of Semans, Saskatchewan, claimed in a ConsumerAffairs review of Kaspersky Anti-Virus. “Their policy states they wish to have the right to share users' private info with anyone including third world countries... This is security?”

After more than a century and a half, Lincoln College in Illinois is no more. Over the course of its history, it was able to stave off the Great Depression, the Spanish flu, and a couple of World Wars, but the wrath of COVID-19 and a cyberattack that hindered access to all of the college’s data proved to be too much for the predominantly Black college.

“Lincoln College has been serving students from across the globe for more than 157 years,” said David Gerlach, president of Lincoln College. “The loss of history, careers, and a community of students and alumni is immense.”

Gerlach said things were looking good up until 2019, with enrollment at Lincoln at an all-time high. But when the coronavirus hit town, recruitment, fundraising, athletics, and campus life was brought to their knees.

Added to the economic burdens brought about by the pandemic that required significant investments in technology and campus safety measures, many students decided to put college on the back burner. That put an even greater crunch on the school’s finances. Supporters of the school tried their hand at a GoFundMe campaign in hopes of raising $20 million, but the effort barely raised $2,000.

Cyberattack delivers knockout punch

The knockout punch for Lincoln came in the form of a cyberattack from Iran in December 2021, one that held the college’s computer systems hostage and made all systems required for recruitment, retention, and fundraising efforts inoperable.

By the time the school paid the ransom and got everything restored four months later, the recruitment projections showed significant enrollment shortfalls that required a transformational donation or partnership to sustain Lincoln College beyond the current semester.

“The cyberattack was just another kick in the shin,” for the struggling college, Gerlach told Forbes. 

We’re likely to hear about cyberattacks and colleges again. Cybercriminals have come to love targeting colleges and universities because, by and large, they just don’t have the cyber defenses to stave off ransomware attacks. So far this year, North Carolina A&T State University, North Orange County Community College District, the Ohlone Community College District in California, and Midland University in Nebraska have also reported ransomware attacks.

Ransomware attacks like these cost colleges an average of $112,000 in ransom payments. But that ransom payment is just a drop in the bucket compared to the total cost of resolving the attack, which averages about $2.7 million per incident, according to Chester Wisniewski, a principal research scientist at security software and hardware company Sophos.

“The average cost to an organization in the private sector was $1.8 million U.S. dollars after a ransom attack,” Wisniewski told Forbes. “So it was almost a million dollars higher cost for educational institutions to recover versus a normal private sector organization.”

Android users around the world are facing the threat of being attacked after a security issue was uncovered that leaves a device’s microphone and camera vulnerable to remote access.

Writing about its discovery, Check Point Software Technologies said hackers could leverage the vulnerability to snoop on users' audio/video media and even listen in on phone calls.

The phones that are most prone to danger are ones that have Qualcomm or MediaTek chips. Unfortunately, 98% of Android devices are powered by those two processors, so the impact could be enormous.

Closing the vulnerability

The Check Point researchers stated that they disclosed their findings to both chipmakers, and each company has apparently patched the security issue. However, anyone who has an Android device will need to update their system software to keep their device secure.

Failing to apply the update could be especially dangerous since all it would take is for a hacker to send someone a doctored audio file to compromise their device.

"The...issues our researchers found could be used by an attacker for remote code execution attack (RCE) on a mobile device through a malformed audio file," the researchers explained. "RCE attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.

"In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations."

The “the bigger they are, the harder they fall” axiom couldn’t be more accurate. Google has announced that the 3.2 billion people who use its Chrome browser have been left vulnerable following a series of new hacks aimed at dismantling Chrome. And no one – not Mac users, not PC users, not Linux users – are safe. 

Google confirmed the hacks on its company blog, saying that nine of the 11 hacks that were discovered pose a "high level threat." The company said it’s working on a patch to close off the vulnerabilities.

What should Chrome users do?

To guard against the latest hacks, Forbes reports that Google released the Chrome 100.0.4896.88 update. Nonetheless, some patience will evidently be required. Google said the update will not be made available to everyone all at once. Instead, it will "roll out over the coming days/weeks." 

To manually check for the update, click the three dots in the top right corner of the Chrome browser and navigate to Settings > Help > About Google Chrome. An option to update your browser will be there if it is available.

For those who don't want to move away from the Chrome browser, using Enhanced Safe Browsing mode may be a viable option to keep your web surfing more secure.

More websites and business organizations are requiring two-step authentication for access as a way to increase security. Security experts say requiring a second step is highly effective at blocking intrusions, just as adding a deadbolt lock to a door is more likely to deter burglars.

Even though hackers have recently set their sights on large organizations, that doesn’t mean consumers are in the clear. Scammers are still looking for ways to take over people’s online accounts.

If your account is only protected by a username and password, you could be vulnerable, says Dominic Chorafakis, a cybersecurity expert at Akouto. Millions of usernames and passwords have been stolen in massive data breaches so a hacker can easily access the account by purchasing the username and password on the dark web.

‘Something-you-have’

The hacker’s task gets more difficult when the consumer is employing two-factor authentication. Chorafakis calls this the “something you know” authentication method.

“Two-factor authentication requires two different types of information to be used by the authentication process, something-you-know and something-you-have,” Chorafakis told ConsumerAffairs. “The something-you-know factor is usually the familiar username and password combination. The something-you-have factor can be many different things, the most common being your mobile phone.”

After entering the username and password, a one-time code is sent via text to the mobile number registered with the account. Even if a hacker has your username and password, they can’t access the account because they don’t have your smartphone. It’s a way to significantly increase security, but it isn’t foolproof.

“Unfortunately, hackers have found ways around this,” Chorafakis said. “One of the most common techniques is to trick people into installing mobile apps disguised as games that are actually malware able to steal login information including one-time-passwords. If you unknowingly install one of these malicious apps and then use your mobile phone to log into a service, hackers can get all the information they need to take over your account.”

Security keys offer more protection

The point is to be very careful and selective about the apps you install on your smartphone, even if they appear to be legitimate. To add an even higher level of security, some people are using hardware security keys instead of their smartphones. 

“These are physical USB sticks that plug into your computer and act as the second factor of something-you-have,” Chortafakis said. “You can think of them as physical keys that you need to insert into a lock, in addition to providing your username and password, to gain access to your accounts.”

Many large tech companies have made these hardware keys a routine part of security. Chortafakis says companies that have taken this additional step for their employee logins have virtually eliminated account breaches caused by password theft.

Okta, an authentication services provider, announced that it has suffered a data breach. The company told Reuters that hackers have already gone as far as posting screenshots of parts of Okta’s internal company environment.

If the hack is real, the snowball effect could be large. Okta claims to serve more than 15,000 brands by securing their digital interactions with consumers and employees. T-Mobile, Albertson’s, FedEx, Sonos, and Nasdaq are all clients of the company -- and those companies are potentially loaded with a cornucopia of personal data.

The hackers appear to be from a group called Lapsus$ – the same extortion group that took responsibility for the Samsung Galaxy breach earlier this month. The group claims that it has had “Superuser/Admin” access to Okta’s systems for more than a month; however, the hackers said their focus was “only on Okta customers.”

In a statement, Chris Hollis, a Senior Manager of Security and Crisis Communications at Okta, said the breach might be related to a previous incident in January that the company previously addressed.

"We believe the screenshots shared online are connected to this January event," he said. "Based on our investigation to date, there is no evidence of ongoing malicious activity beyond the activity detected in January.”

Putting consumer’s data security on heightened alert

With the possibility of the Russia-Ukraine conflict spilling over into a cyberattack on Americans and U.S. businesses, President Biden is not leaving anything to chance. In a roundtable discussion with CEOs on Monday, he said one of the tools Russia is most likely to use is cyberattacks. 

“The private sector, all of you, largely decides the protections that we will or will not take in order to protect your sources,” the president warned.

“But let me be absolutely clear about something: It’s not just in your interests that are at stake with their potential use of cybersecurity … the national interest is at stake."

How do consumers protect their data?

Mark Kapczynski of OneRep – a company that assists the public in removing their private data from the web –  says many people use careless internet habits and run the risk of compromising their own privacy.

“Remember that cool site with a giveaway that you gave your personal information to? Well, more than likely they sold it to a larger data aggregator like TransUnion, which pulls in millions of consumer data points and then sells all of our consumer personal information in bulk to these people search sites,” he said.

Kapczynski says consumers should take advantage of different privacy tools to ensure that their personal information stays secure.

“If you are going to share your information online with various sites, use some of the new email and phone number hiding tools within your iPhone, and/or get an email address and phone number that is dedicated only for your online activities and can easily be deleted or discarded. Most importantly, never give out personal data to online sites unless you know them to be trustworthy and respect consumer privacy,” he suggested.

While Russia and Ukraine are duking it out on the ground, there’s growing concern that Russia might take to the digital sphere to pay back the U.S. for the economic sanctions it made against it.

Russia has long been associated with trying to cripple the U.S. via cyberattacks. The country is thought to have been associated with the attacks on the world’s largest meat producer JBS and the global supply chain. Just last week, the Senate passed the Strengthening American Cybersecurity Act of 2022 to shore up the U.S.' cybersecurity.

Fearing that Russia-backed hackers might have their sights set on banks, the Financial Crimes Enforcement Network (FinCEN) issued an alert on Monday that advises all financial institutions to be vigilant against potential Russian efforts to evade the U.S.’ expansive sanctions. FinCEN put financial institutions that deal in cryptocurrency on the highest alert because gaining access to cryptocurrencies might be an easy target that could help Russia replenish its coffers after the U.S. placed economic pressure on the country.

Experts weigh in on the overall issue

Watching the Russia-Ukraine conflict unfold on TV is one thing, but if Russia decided to punish the U.S. for its role, what would the stateside effect be? ConsumerAffairs asked Dr. Aaron Brantly, Director of the Tech4Humanity Lab at Virginia Tech, to comment on the situation. 

“I would say that the threat of Russian cyber attacks against US infrastructure is high. But that such attacks have been defined by the administration as an escalatory red-line that could possibly involve the US and by extension NATO into the war in Ukraine,” Brantly told us. “Regarding individual consumer attacks to current financial constraints on the Russian Federation make such attacks less attractive as the money launder routes are increasingly closed.”

As far as what the FinCEN or American Cybersecurity Act were designed to do, Brantly thinks it’s a good move to start.

“Each act and move towards more robust cybersecurity is a step in the right direction. Yet any notion that any system or country will be largely invulnerable to cyber-attacks in the future does not pair up with the technical reality of software and hardware development.”

Consumers can protect themselves

How much could a cyberattack against the U.S. impact consumers? Therese Schachner, a cybersecurity consultant at VPNBrains, says the average person would likely feel some of the fallout.

“Organizations providing critical infrastructure are prime targets for cyberattacks since these organizations provide services that are essential for consumers," Schachner told ConsumerAffairs. "When the public loses access to power, healthcare, or other key services due to system outages caused by cyberattacks, massive disruptions are caused in the economy and in consumers' everyday lives.”

She added that government agencies -- like the Social Security Administration and the Veterans Administration – are also at risk because they provide key services and have access to confidential information that adversaries can use to gain a political or military advantage.

Schachner says consumers who are concerned about a major cybersecurity incursion can make some proactive efforts that may lessen the impact of an attack if it happens. For one thing, she suggests consumers keep their software up to date with the latest security fixes. 

“Older versions of software often have security vulnerabilities that attackers can leverage as initial entry points to computer systems to damage or disable them or gain access to confidential data,” she said.

“Strong passwords are harder to crack, and two-factor authentication adds an extra layer of security into the user authentication process, allowing users to provide additional proof that they are the true owners of their accounts.”

Schachner’s last suggestion to consumers is to keep an eye on their bank and credit card accounts. 

“Monitor accounts for unusual activity, such as suspicious purchases and logins from unrecognized locations and devices, then report and address potentially malicious activity in a timely manner before it escalates into more serious problems,” she suggested.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning to organizations that operate in critical infrastructure sectors that there’s a heightened possibility of new ransomware attacks.

In the warning, the agencies state that the Ragnar Locker ransomware group has launched 52 attacks in 2022 that focused on the manufacturing, energy, financial services, government, and information technology sectors.

"Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” the agencies said. 

Officials say Ragnar Locker has encrypted files on systems and apps that include Windows software, Mozilla Firefox, Internet Explorer, Recycle Bin, Google software, and Opera software.

FBI seeks help from ransomware victims

The FBI says organizations that are targeted with ransomware by Ragnar Locker should not pay the group's ransom to get their files back.

“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, or fund illicit activities. Paying the ransom also does not guarantee a victim’s files will be recovered,” the Bureau said. 

Although it believes that companies shouldn't pay ransom demands, FBI officials admit that some businesses may need to pay a ransom if they cannot function without certain files. They say company executives should evaluate all options to protect their shareholders, employees, and customers. 

“Regardless of whether you or your organization decides to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators and analysts with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks,” the agency stated.

Samsung has announced that a data extortion gang named Lapsus$ has breached the company’s internal data and stolen confidential source code related to its Galaxy-branded devices (smartphones, tablets, smartwatches, etc.). The company did not disclose exactly what information was hacked, but it did note that it does not foresee any impact on its end-user products or private customer data.

Lapsus$ is certainly making the rounds. It recently released what it claimed to be data and employee passwords stolen from Nvidia, a company that designs graphics processing units (GPUs) for the gaming and professional markets. BleepingComputer reports that it is unclear if Lapsus$ contacted Samsung for a ransom, as it claimed in the case of Nvidia. 

“We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” a Samsung spokesperson told CNBC.

“According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees.”

This is just the latest setback that Samsung has faced in recent weeks. Last week, Samsung made the news when phone owners reportedly experienced a slowdown of more than 10,000 apps.

The U.S. Senate has taken a proactive approach to combat possible cybersecurity threats in the face of the Russia-Ukraine situation.

In a package authored by U.S. Senator Gary Peters (D-MI), the Senate has passed the Strengthening American Cybersecurity Act of 2022. The legislation would require infrastructure entities and federal agencies to report cyberattacks to the government within 72 hours; ransomware threats would also need to be reported within 24 hours. The bill awaits passage in the House of Representatives.

“The legislation is urgently needed in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine,” Peters stated.

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government. As we have seen repeatedly, these online attacks can significantly disrupt our economy – including by driving up the price of gasoline and threatening our most essential supply chains – as well as the safety and security of our communities.”

Guaranteeing online security in the U.S.

Peters said he will continue his efforts to make the bill a law. He's urging his colleagues in the House to “urgently” pass the legislation to ensure that the nation's online security is kept safe.

Danielle Jablanski, an operational technology cybersecurity strategist at Nozomi Networks, told CNN that the reporting deadlines written into the legislation may be difficult for some companies to handle because information sharing may not be the top priority in a crisis.

Tight or not, the potential consumer impact could be monumental, as the U.S. found out when the Colonial pipeline was hacked. The breach led to increased gas prices and gas shortages. Meat producer JBS was also hit by a cyberattack that prompted shutdowns at company plants and threatened meat supplies all across the nation.

Florida Attorney General Ashley Moody says her office has learned that personal information stolen during last year’s T-Mobile data breach has begun showing up for sale on the dark web.

Hackers stole the data last August, obtaining consumers’ names, dates of birth, Social Security numbers, and driver’s license information. It’s estimated that the thieves hauled in personal information on as many as 53 million people.

“It is extremely important that consumers who had their personal information exposed during last year’s T-Mobile data breach take immediate action to secure and protect their identities,” Moody said. “A large subset of the information is being sold on the dark web, increasing the likelihood that the data breach victims could have their identities stolen and personal finances compromised.”

Credit monitoring

Some affected consumers have obtained the services of one of the credit monitoring companies to alert them to fraudulent activity.

Paul, of Reynoldsburg, Ohio, opened an account with Identity Guard and was initially unimpressed with the company's service. However, he improved his rating for the company after a representative reached out and offered to provide personal assistance.

"We appreciate the feedback as we always make sure to review and research all issues and concerns. We will have a specialist from our Alerts and Restoration department reach out to you to obtain more details and to offer assistance," the company told Paul.

Unfortunately, that kind of turnaround doesn't happen for everyone. Richard, of Boulder, Colo., signed up with AllClear ID and hasn’t found that service to be that useful, even though the company informs him when his data is found on the dark web.

“They'll also say ‘password found,’ but ‘For your security, we do not display your password in an effort to stop further exposure.’ Because there's not even a hint of which password it was, and there's also not an indication of which site(s) it was associated with, there is literally nothing to do with this notification except feel bad -- unless you want to change your passwords across every single site you use,” Richard wrote.

Actually, security experts say that isn’t a bad idea. They saw all passwords should be changed on a regular basis.

Credit Freeze offers the best protection

Moody says there are other proactive steps consumers can take to protect their identities. She suggests placing a credit freeze on credit reports. That will block identity thieves from opening credit accounts in the victim’s name.

To place a credit freeze, consumers must contact each of the three credit bureaus to request it. Here’s the contact information:

Equifax: Visit: Equifax.com/Personal/Credit-Report-Services/Credit-Freeze/ or call 1(888) 766-0008.

Experian: Visit: Experian.com/Freeze/Center or call 1(888) 397-3742.

TransUnion: Visit: TransUnion.com/Credit-Freeze or call 1(800) 680-7289.

A less extreme step is to place a “fraud alert” on all three credit reports. A fraud alert tells lenders and creditors to take extra steps to verify a consumer’s identity before issuing credit. Fraud alerts can be placed by contacting any one of the three major credit bureaus.

A suspected cyberattack hit one of Toyota’s suppliers of electronic components and plastic parts at one of its plants in Japan, wiping out 13,000 cars' worth of output. The automaker said it is suspending all Japanese operations until the company has an opportunity to investigate the situation and restore factory operations to normal.

CNBC reports that it’s unknown who was responsible for the attack or what their reason was, but NikkeiAsia reports that malware was involved. Russia has been implicated due to Japan joining Western allies and blocking Russian banks’ access to the SWIFT international payment network in response to Russia’s invasion of Ukraine.

Fumio Kishida, Japan’s Prime Minister, said the government would launch a probe into the incident to determine whether Russia was involved or not.

“It is difficult to say whether this has anything to do with Russia before making thorough checks,” he told reporters. As for Toyota’s official stance on the matter, a spokesperson for the company described it as a “supplier system failure.” 

The effect on production

All told, 28 lines at 14 Toyota plants – plus some plants operated by Toyota’s affiliates Hino Motors and Daihatsu – were shut down because of the incident.

Toyota has not said exactly how long the shutdown will last, but the spokesperson said it will last for more than a day.

Toyota has experienced cyberattacks in the past in Japan and Australia. This time around, though, the company also has to contend with supply chain issues that have been exacerbated by the pandemic. Those conditions were made worse when protesters prevented trucks from passing through U.S-Canadian borders to deliver parts to North American Toyota factories.

Several U.S. telecoms are asking the Federal Communications Commission (FCC) to pay them $5.6 billion for “reasonable expenses” they incurred after removing ZTE and Huawei ZTE and Huawei from their networks.

Previously, officials designated Huawei and ZTE as “national security threats” and voted in concert to ban U.S. carriers from offering service from either company and demanded that their equipment be replaced. The FCC originally thought it would cost carriers more than $1.8 billion to satisfy the order, so it set aside $1.9 billion. However, the telecom companies say that number only covers about a quarter of what they need.

“Last year Congress created a first-of-its-kind program for the FCC to reimburse service providers for their efforts to increase the security of our nation's communications networks,” said FCC Chairwoman Jessica Rosenworcel.  

“We’ve received over 181 applications from carriers who have developed plans to remove and replace equipment in their networks that pose a national security threat. While we have more work to do to review these applications, I look forward to working with Congress to ensure that there is enough funding available for this program to advance Congress’s security goals and ensure that the U.S. will continue to lead the way on 5G security.”

Consumers beware

Since the FCC has banned ZTE and Huawei, people who own one of those brands' devices would be smart to start shopping for a replacement.

Raymond, from Danville, Penn., told ConsumerAffairs that he recently purchased a ZTE device and had trouble activating it. Eventually, he took it to a Verizon store for assistance.

"The person there attempted to activate it took my prepaid card and after 45 minutes told me he could not activate it and handed it back to me. I tried returning it without luck," Raymond wrote in a ConsumerAffairs review. "I'm out over 100 dollars and still have nothing."

If you’re one of the tens of millions of consumers who use Venmo, American Express, Robinhood, Ally Financial, Capital One, Citi, Rocket Loans, TD Ameritrade, Venmo, or Wells Fargo apps to make banking transactions, you may be in for a pleasant surprise.

Plaid – a California-based data transfer network that powers fintech and digital finance products – will be paying $58 million to users to settle charges that it took more financial data than was needed by a user’s app. 

On top of getting more personal financial data than necessary, the company is alleged to have obtained log-in credentials through the app’s “Plaid Link” interface. Regulators say the interface mimicked the look and feel of users' own bank account login screen, leading people to believe that the data they were sharing was really with the bank and not a third-party source. The plaintiffs in the class action suit alleged that Plaid then used that information to access and sell transaction histories. 

Major settlement in the fintech market

Consumers flocked to digital banking during the pandemic, and federal regulators started raising concerns. Early last year, the Justice Department stepped in to oppose Visa's efforts to acquire Plaid, saying that the deal was anti-competitive. This latest settlement could be monumentally important when it comes to policing the fintech market.

"This is a major settlement in the fintech privacy area, as the collection and use of consumer data has become more scrutinized in the past few years, especially amidst the wave of fintech and money transfer apps that have become popular with consumers," said attorney Jeffrey D. Neuburger, co-head of Proskauer’s Technology, Media & Telecommunications Group. 

Plaid might be out $58 million, but it’s remaining steadfast about its innocence. 

“We don’t share your personal information without your permission,” the company stated on its website. It also denies any wrongdoing and claims that it adequately disclosed and maintained transparency about its practices to consumers.

This is real, not a hoax

Snopes reports that earlier this month, Google users went on the hunt to find out if an email for Plaid’s class action settlement was a “scam or legit,” as people frequently do after receiving such notices. But this is real, and consumers have already started to receive a Notice of Settlement either by postal mail or email.

However, anyone who's due some money as part of this settlement might want to hold off on making any big plans with their check. The suit likely includes "tens of millions" of plaintiffs, so the payouts may not wind up being that big. 

Nonetheless, if you want to find out if you're eligible for some part of the settlement money, the settlement website has a complete searchable list of the companies linked to the Plaid app. You can also call the settlement administrator toll-free at 855-645-1115 to find out whether or not you are a class member.

Anyone who feels their data was misappropriated by Plaid has until April 28, 2022, to file a claim. Full settlement details and the consumer’s legal rights are available here.

Crypto.com – a cryptocurrency exchange app company – says it was the victim of a hack totaling $15 million in stolen funds.

In a statement, a Crypto spokesperson told ConsumerAffairs that the incident affected 483 customers and that the company prevented unauthorized withdrawals in the majority of cases. In all other cases, customers were fully reimbursed.

Breaking those 483 instances down into values, the company said the unsanctioned withdrawals totaled 4,836.26 ether, 443.93 bitcoins (BTC), and approximately $66,200 in other currencies.

To ensure a hack like this doesn’t affect users the next time one happens, the company said it has “hardened” its security systems and is introducing a program to offer additional protection and security for up to $250,000 in funds held in the Crypto.com app and exchange.

The company appears to be in solid enough financial shape to withstand the losses claimed by the hack. Crypto.com CEO Kris Marszalek recently told Fortune that the company's revenue surged 2,000% in the last 12 months. 

Security firm says not all funds are safe

Peckshield, a China-based blockchain security firm, questioned Crypto.com’s stance that only $66,000 USD was stolen, claiming that its analysis shows that the unauthorized withdrawals amounted to $33 million.

"I’m sorry, but all funds are not safe. I had BTC withdrawn from my account that I did not authorize," tweeted J8Arnold, one of Crypto’s customers. "These funds have yet to be returned to me… I have always had passcode & 2FA [two-factor authentication, a method for protecting identity theft] enabled. I have reached out to Customer Support using every channel possible with no response."

ConsumerAffairs asked Crypto to speak directly to Peckshield’s claims, but the company has not yet replied.

Shaky ground?

While protections are improving for cryptocurrency investors, the digital money world is still in its "Wild West" phase and is not yet completely under the same regulations that the Securities and Exchange Commission (SEC) requires other trading sectors to follow. That allows some wiggle room for hackers to continue trying to break into cryptocurrency exchanges whenever they can, forcing many investors into "buyer beware" mode.

Roger Aliaga-Díaz, Vanguard America’s Chief Economist, cautions investors that while cryptocurrency may seem attractive, it’s no substitute for stocks and bonds.

"The biggest risk for all investors would be to assume that demand growth will continue just because their prices have recently gone up," he said. "That's speculation, not investment."

Goodwill has reportedly become the victim of a data breach that is directly impacting the users of its ShopGoodwill.com e-commerce platform. 

TechRadar reports that hackers made their way into the company’s platform via an exploitable vulnerability that allowed them access to customer names, phone numbers, email addresses, and postal addresses. The larger unanswered question is how many customers the breach actually affected. 

Goodwill responds

Goodwill stated that it patched the vulnerability that led to the exposure. In a letter sent to customers affected by the hack, company Vice President Ryan Smith said the silver lining in this attack is that no customer financial data was stolen. 

"We were recently alerted to an issue on our website which resulted in the exposure of some of your personal contact information to an unauthorized third party,” Smith said. “No payment card information was exposed; ShopGoodwill does not store payment card information. While the third party accessed buyer contact information, they did not access your ShopGoodwill account."

Still, this is not a good look for the donation-driven company. In 2014, an estimated 868,000 credit and debit cards were compromised when the company’s computer network was infected with malware that gave hackers access to customer credit card data. 

Stolen data could lead to more trouble

Although financial information wasn't included in this hack, that information that was stolen could still lead to future problems for consumers. 

Hackers have been known to use stolen personal information for identity theft, which was on the rise in 2021. They could also combine the information with stolen passwords from other hacks in password spraying attacks to compromise other important accounts. 

For more information on identity theft trends and statistics, check out ConsumerAffairs' guide here.

A hack of one of the largest health care systems in the U.S. has compromised the personal and private data of more than a million people who were exposed.

A recent filing showed that 1,357,879 were impacted by the breach in October 2021. In a letter to customers, Broward Health stated that the stolen information may have included names, dates of birth, addresses, phone numbers, financial or bank account information, Social Security numbers, insurance information, driver’s license numbers, email addresses, and various medical information.

Ransomware is the new hot hospital hack

In ConsumerAffairs review of identity theft in 2021, Rob Douglas – a leading authority on cybersecurity – said the pandemic helped create an “easier and more lucrative path” for attackers to launch ransomware. 

Mandiant, an enterprise-scale threat intelligence company, agrees. In its tracking of foreign hackers, it stated that a group dubbed FIN12 has taken a shine to companies that provide critical care functions. The company said nearly 20% of FIN12 victims were in the health care industry and were warned that they were more likely to be targeted during the COVID-19 pandemic.

Mandiant says the hackers are primarily focused on finding financial data, particularly annual income, because of the perception that it justifies proportionally large ransom demands.

Customers urged to take preventive action

In response to the incident, Broward Health said it is taking steps to prevent similar incidents from happening down the line, including adding password resets and multifactor authentication for all users of its systems.

While that may help going forward, Broward customers have a lot to do on their end to protect any of their personal information that may have been hacked. The company suggests that its customers do the following:

• Regularly review the explanation of benefits statements that you receive from your health plan. Broward asks that if anyone sees a service that they did not receive, to contact the health plan at the number on the statement.

• Monitor your financial accounts. If you see any unauthorized activity, promptly contact your financial institution. Broward stated that it would be a good idea to also take a look at your credit report for any discrepancies. 

Hackers had another field day at T-Mobile, or so it appears. After a massive data breach compromised the accounts of six million users in August, the T-Mo Report is citing internal documents that show the company uncovered “unauthorized activity” on some customer accounts. 

The organization said the activity was most likely either the viewing of customer proprietary network information (CPNI), an active SIM (subscriber identity module) swap by a malicious actor, or possibly both.

If it was CPNI, then the hackers could have taken advantage of a customer’s account name, phone number, rate plan, and more. “That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers,” T-Mo said. 

On the other hand, if it was a SIM swap, things could be worse. Hackers could gain control of a customer’s phone number. In that situation, it could lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number, T-Mo said. However, the document shared with T-Mo indicated that anyone affected by a SIM swap had lucked out and that action was reversed.

T-Mobile responds

When ConsumerAffairs asked T-Mobile for a comment about the breach, the company confirmed the issue and said that it has corrected it.

“We were informed [by] a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed. Unauthorized SIM swaps are unfortunately a common industry-wide occurrence, however this issue was quickly corrected by our team, using our in-place safeguards, and we proactively took additional protective measures on their behalf,” a company spokesperson said in an email.

In addition, T-Mobile Help responded to a question posted on Twitter by saying that it was “taking immediate steps to help protect all individuals who may be at risk from this cyberattack.” It followed by saying users could send it a direct message to discuss steps to increase account security.

T-Mo also reported that customers who notified T-Mobile of unauthorized activity on their account have had notes added to their account for reps to see when accessing them.

Meta has encountered its first major headache under its new moniker. The company formerly known as Facebook has notified 50,000 global users of Facebook, WhatsApp, Instagram, and Messenger that they may have been targeted by private surveillance companies. 

Meta said those seven firms carried out a mix of “reconnaissance, engagement, and exploitation,” but they have now been completely barred from the company’s platforms.

Collecting information and compromising accounts

In a blog post describing the issue, Meta said the global “surveillance-for-hire” companies targeted people to collect intelligence and compromise their devices and accounts – not only on Meta’s platforms but across the whole internet in more than 100 countries.

“While these ‘cyber mercenaries’ often claim that their services only target criminals and terrorists, our months-long investigation concluded that targeting is in fact indiscriminate and includes journalists, dissidents, critics of authoritarian regimes, families of opposition and human rights activists,” explained Meta officials David Agranovich and Mike Dvilyanski.

Agranovich and Dvilyanski said Meta is trying to prevent this from happening again by sharing its findings with security researchers, other platforms, and policymakers. The company also issued cease and desist warnings to the companies involved and alerted people who may have been targeted to help them strengthen the security of their various Meta-connected accounts.

What actual good could come out of this

Despite the immediate concern, Meta said in its threat report that there’s actually some good that can come out of this situation. The company is requesting that governments and tech companies come together to work on three key components:

Greater transparency and oversight: Meta sees a need for more international oversight that establishes transparency and “know your customer” standards. These standards would cover social platforms and surveillance-for-hire entities so that they are held accountable.

Industry collaboration: Surveillance efforts show up differently depending on individual platforms, but Meta stated that industry-wide collaboration is critical if Big Tech wants to fully understand and stop adversarial surveillance efforts before they spin out of control.

Governance and ethics: While Facebook’s history is covered with faux pas that put the company’s trustworthiness in question at congressional hearings, Meta says it now welcomes domestic and international efforts to raise accountability through legislation, export controls, and regulatory actions. 

“We also encourage broader conversations about the ethics of using these surveillance technologies by law enforcement and private companies, as well as creating effective victim protection regimes,” Agranovich and Dvilyanski said.

If you find things a little squirrely with the internet as you begin your week, it may relate to a “zero-day” exploit called “Log4Shell” that has sent security experts scrambling. 

The vulnerability is a critical security flaw in an open-source logging software called “Log4j,” which is used by countless companies and data centers around the world. The difficult part is that when analysts attempt to plug holes created by Log4Shell, others seem to pop up as a result.

“The internet’s on fire right now,” Adam Meyers, senior vice president of intelligence at the cybersecurity firm Crowdstrike, told The Associated Press. “People are scrambling to patch,” he said, “and all kinds of people scrambling to exploit it.”

Why it’s such a threat

Log4Shell appears to be a major threat to internet companies. Reports have already circulated that iCloud, Amazon’s cloud service AWS, and Minecraft were targeted by hackers who used the vulnerability.

Hackers who use Log4Shell are reportedly able to run code inside of server systems and remotely take full control. Making the situation far more dangerous is the fact that this hack doesn’t require any interaction from the victim. Hackers can simply worm their way, gain access, and do their damage.

“This is far worse than if individual devices were vulnerable, and I think it's an open question at this point exactly what kind of data attackers are probably pulling from Apple's services as we speak,” Thomas Reed, Malwarebytes director of Mac offerings, told Ars Technica.

“I’d be hard-pressed to think of a company that’s not at risk,” Joe Sullivan, a Cloudflare security officer, told the AP. He said that untold millions of servers might have the utility installed. 

In its latest move to stop global hackers in their tracks, Microsoft’s Digital Crimes Unit (DCU) has throttled the activities of a China-based hacking group that it calls Nickel. 

A federal court in Virginia granted the company’s request to seize websites that Nickel planned to use to attack organizations in 29 countries, including the U.S. The upshot of Microsoft’s sheriff-like effort is that Nickel’s access to victims has been cut off and that the malicious websites it was using no longer have the ability to carry out attacks. 

Microsoft didn’t name Nickel’s specific targets but said at the top of the list of those spared were government agencies, think tanks, and human rights organizations because of the wealth of information the hackers could tap into for intelligence gathering. 

“There is often a correlation between Nickel’s targets and China’s geopolitical interests,” said Tom Burt, Microsoft’s Corporate Vice President, Customer Security & Trust. According to Burt, Nickel also targeted diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. 

Microsoft says it will remain relentless

Nickel may be the latest snake in the grass that Microsoft has gone after, but it’s not the first. The company said that DCU’s pioneering efforts have taken control of more than 10,000 malicious websites used by cybercriminals and nearly 600 sites used by nation-state actors so far. The tech giant said it has also proactively blocked the registration of some 600,000 sites to prevent hacking groups from using them to cause harm in the future.

However, Microsoft admitted that Nickel was not completely killed off, and it could come back for more. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” Burt remarked.

He went on to say that nation-state attacks continue to proliferate in number and sophistication. While China may be the head of the Nickel snake, DCU has also disrupted nefarious attempts from Iran, Russia, and North Korea. 

“Our goal … is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace. We will remain relentless in our efforts to improve the security of the ecosystem and we will continue to share activity we see, regardless of where it originates,” Burt concluded.

In a data breach alert published by the Securities and Exchange Commission (SEC), GoDaddy reported that the private data of as many as 1.2 million of its customers was exposed by hackers who wormed their way into the company's Managed WordPress hosting ecosystem.

Unfortunately, GoDaddy was a little late in putting measures in place to curb the incident. The company told the SEC that it determined hackers first breached their systems on September 6, 2021, but that it didn’t take measures to block the hackers until November 17.

What happened

Demetrius Comes, GoDaddy’s Chief Information Security Officer, said the hack was pretty straightforward. Using a compromised password, the hackers accessed the provisioning system in GoDaddy’s code base for Managed WordPress. Managed WordPress hosting is something GoDaddy offers its clients -- sort of a jack of all trades platform where all the technical aspects of running a website are handled by GoDaddy, freeing the website owner from having to take care of those things.

When the company first spotted the hack, it immediately began an investigation with the assistance of an IT forensics firm. Comes said GoDaddy also contacted law enforcement. 

“Upon identifying this incident, we immediately blocked the unauthorized third party from our system. … Our investigation is ongoing,” Comes said. As to what the hackers had access to, he offered the following: 

• Up to 1.2 million active and inactive Managed WordPress customers had their email addresses and customer numbers exposed. The exposure of email addresses is serious because it presents a risk of phishing attacks.

• The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.

• For active customers, FTP and database usernames and passwords were exposed. GoDaddy says it reset both passwords.

• For a subset of active customers, the SSL private key was exposed. Comes said the company is in the process of issuing and installing new certificates for those customers.

Are you a GoDaddy customer?

Comes said the company is in the process of contacting everyone who was impacted directly by the hack. However, he stated that customers can also contact GoDaddy via its help center.

“We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down,” Comes said in closing. “We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

Robinhood, the trading app comprised of users who drove this year’s Reddit stock craze, reports that it has suffered a data breach in which the names and email addresses of millions of traders were stolen. In a blog post, the company emphasized that no Social Security or bank account numbers were compromised, and none of its users suffered any financial loss.

The company said the hacker gained access to Robinhood’s network systems by impersonating an authorized party to a customer-support employee on the phone. Officials said the breach was discovered late Wednesday of last week and quickly contained.

Robinhood said the hacker demanded a ransom payment at one point, but the case was turned over to law enforcement to handle. The company also retained the services of Mandiant, a cybersecurity firm.

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.” 

5 million email addresses

The company says an investigation into the hack shows that the hacker was able to steal a list of email addresses for approximately five million users, as well as full names for a different group of approximately two million people. 

Robinhood also believes the hackers gained more extensive data on about 310 users. Again, it doesn’t think any financial information was compromised, but hackers may have gained access to names, dates of birth, and zip codes for that small group of customers.

Robinhood gained millions of customers during the pandemic when homebound Americans used its app to trade stocks, in many cases driving up the price of so-called “meme” stocks like Gamestop and AMC.

Disruptive force

The company has been a disruptive force in the financial services industry by not charging commissions on trades. Now, nearly all online trading platforms have done away with commissions on stock trades.

Robinhood customers seeking information on how to keep accounts secure can visit Help Center, then tab through My Account & Login and Account Security. 

When in doubt, users may log in to view messages from the company. It also points out that it will never include a link to access a user’s account in a security alert. 

Foreign hackers are suspected to have forced their way through the computer systems of nine organizations in the defense, education, energy, health care, and technology sectors. Those organizations are spread throughout the world, but according to findings that security firm Palo Alto Networks shared with CNN, at least one is in the U.S. 

Security analysts believe the hackers are set on stealing key data from U.S. defense contractors and other sensitive targets. The hackers reportedly targeted organizations with passwords that could provide ongoing access to government networks. 

Ryan Olson, a senior Palo Alto Networks executive, told CNN that it was sort of a race to the finish. Once the intruders laid their hands on the passwords, it’s possible that they would be in a good position to intercept sensitive data sent via email or stored on computer systems.

NSA and U.S. Cybersecurity and Infrastructure Security Agency (CISA) officials said they are tracking the threat. 

Eyes on China

Olson said the nine confirmed targets are the "tip of the spear" of the surveillance campaign, and he expects that even more victims will be revealed. Olson couldn’t lay blame at any particular group’s feet, but he said some of the tactics the hackers employed are similar to those used by a known Chinese hacking group.

China state hackers have been behind a number of cyberattacks over the course of the last year. Just this summer, France claimed that China state hackers were using compromised routers in a massive attack campaign. The Biden administration also accused China of being behind major cyberattacks like the Microsoft Exchange hack. 

In July, a federal grand jury charged four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities, and government entities in the U.S. and abroad. In October, the Federal Communications Commission (FCC) recognized potential security risks connected to China Telecom and banished the company from the U.S. 

People who have shied away from Facebook over privacy issues will be happy to know that it’s shutting down its facial recognition system. The company announced that the recognition technology that automatically recognized when a member appears in a photo is officially going away…for now.

Facebook’s active daily users who had previously opted into allowing the technology won’t have to lift a finger; they’ll simply no longer be automatically recognized in photos and videos on the platform. The company said it’s not going to archive anything it has in its system. It will delete more than a billion people’s individual facial recognition templates. 

Facebook users who were hoping to continue using the facial recognition technology to see suggested tags with their names in photos and videos are out of luck. The company says those people will have to tag posts the old-fashioned way -- manually. 

“We need to weigh the positive use cases for facial recognition against growing societal concerns, especially as regulators have yet to provide clear rules,” Jerome Pesenti, VP of Artificial Intelligence, said in a blog post.

The change will likely save Facebook some money in the long run. Over the past few years, the company ran afoul of its users when it launched its '10-Year Challenge'  promotion, and it has forked over hundreds of millions of dollars to settle facial recognition lawsuits.

One of the largest shifts in facial recognition history

Pesenti said Facebook’s move is momentous on a privacy level and represents one of the largest shifts in facial recognition usage in the technology’s history. 

However, the company still believes that facial recognition has a place in the world -- like at airports where the Department of Homeland Security uses facial recognition to identify people wearing face masks because of the pandemic. Because of that, it left the door slightly ajar for using the technology again on some level in the future.

“Looking ahead, we still see facial recognition technology as a powerful tool, for example, for people needing to verify their identity, or to prevent fraud and impersonation,” Pesenti said. “We believe facial recognition can help for products like these with privacy, transparency and control in place, so you decide if and how your face is used. We will continue working on these technologies and engaging outside experts.”

As of December 26, 2021, China Telecom Americas will no longer be doing business in the U.S. Citing security concerns, the Federal Communications Commission (FCC) issued an order on Tuesday that prevents China Telecom from providing any domestic or international services in the U.S.

The move is a major blow for China Telecom because its mobile virtual network in the U.S. includes more than 4 million Chinese Americans, 2 million Chinese tourists a year visiting the United States, 300,000 Chinese students at American colleges, and more than 1,500 Chinese businesses.

However, it wasn’t completely unexpected. In 2020, the Executive Branch warned that it was considering shutting down the U.S. operations of state-controlled Chinese telecommunications companies, including China Telecom Americas. 

Officials had offered China Telecom a chance to disprove the agency’s findings, and they established a process that allowed for China Telecom, the U.S. Executive Branch agencies, and the public to present any remaining arguments or evidence regarding the matter.  

“The Federal Communications Commission has a long history of working to open American markets to foreign telecommunications companies when doing so is in the public interest,” Chairwoman Jessica Rosenworcel said.  

“These connections can make us stronger because they help share our democratic values with the rest of the world.  But we also recognize not every connection is consistent with the national security interest of the United States. That’s because some countries may seek to exploit our openness to advance their own national interests.  When we recognize this is the case and cannot mitigate the risk, we need to take action to protect the communications infrastructure that is so critical to our national security and economic prosperity.”

FCC offers to help China Telecom’s U.S. users

Fortunately for China Telecom’s U.S. users, the FCC is not leaving them out in the cold. The agency said it will help customers transition to other mobile service providers. Officials say they will issue a guide that outlines what other options consumers might consider for mobile services.  

This document will be available in English, Simplified Chinese, and Traditional Chinese and made available on the FCC’s website. 

Cybersecurity specialists at the Microsoft Threat Intelligence Center (MSTIC) claim that the Russian-linked hacking group behind the attacks on SolarWinds, JBS, and others last year is at it again -- this time going after key players in the global technology supply chain.

The group, known as Nobelium, has “been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain” according to Tom Burt, Microsoft’s corporate vice president of customer security and trust. So far, the group has allegedly targeted more than 140 IT resellers and service providers and compromised as many as 14 since May. 

“Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling … targets of interest to the Russian government,” Burt said in a blog post.

Hackers use "password spraying" technique

The hackers’ favorite technique this time around is reportedly something called a “password spray.” This attack is a procedure that tries to access a vast number of account usernames via commonly used passwords such as “123456789,” “Password123,” and “picture1.”

DoubleOctopus -- a cybersecurity company focused on password protection -- says even though password spraying is a slow-and-go technique, it does allow hackers to stay undetected by avoiding rapid or frequent account lockouts. That makes it different from traditional attacks that attempt to gain unauthorized access by guessing an account’s password.

In this situation, online users appear to be at the mercy of the service providers and platforms they use to protect their accounts. To that end, Microsoft recommends that companies with online customer systems implement a specific set of protocols to thwart recent Nobelium activity.

Putting protective measures in place

While consumers may need to depend on companies to protect them to some extent, there are still some things they can do to gain an advantage against hackers. In an interview with USAToday, Craig Danuloff, CEO of The Privacy Co., offered these tips to make personal passwords and information less susceptible:

Do not reuse passwords on any important accounts. Keeping your passwords unique helps ensure that hackers can’t access all of your important accounts if they figure out just one of your passwords.

Use two-factor authentication wherever possible. Amazon, Apple, Google, and other major tech players use this method because it works well. Here’s a guide that goes over two-factor authentication and other cybersecurity steps you can take to protect yourself.

Choose platforms that use end-to-end encryption. This is a method that Zoom now uses after learning a valuable lesson without it. “Files or photos sitting in cloud storage can be stolen,” Danuloff said. “If they’re in a database that has no keys or just one master key, all of your personal data has a much higher likelihood of being stolen, accessed, and maybe even shared publicly.”

Don’t give up your data to every site that asks for it. “Data that isn’t there can’t be stolen,” Danuloff said. All kinds of services ask for your address, phone number, or even your Social Security number. “The vast majority of them don’t need it,” he said. So give them “alternative facts.” Use burner email accounts. 

Use a personal monitoring service -- aka ID theft protection -- that informs you when your data has been stolen in a hack or when there are signs of identity theft. 

October is turning out to be a bad month for cryptocurrency lawbreakers. On Thursday, the U.S. Department of Justice announced that it has created a special team of its own to keep criminal misuses of cryptocurrency to a minimum. 

In the agency’s announcement, Deputy Attorney General Lisa O. Monaco said the National Cryptocurrency Enforcement Team (NCET) will not only tackle thorny investigations and prosecutions of criminal misuses of cryptocurrency. She said it will also be especially vigilant regarding crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering. 

The new team will also assist in tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups, such as the one involved in the Colonial Pipeline attack earlier this year.

“Today we are launching the National Cryptocurrency Enforcement Team to draw on the Department’s cyber and money laundering expertise to strengthen our capacity to dismantle the financial entities that enable criminal actors to flourish — and quite frankly to profit — from abusing cryptocurrency platforms” said Monaco. “As the technology advances, so too must the Department evolve with it so that we’re poised to root out abuse on these platforms and ensure user confidence in these systems.”

Diving deep to find crypto criminals

The NCET realizes that the people behind cryptocurrency crimes can be sneaky, often doing their deeds in what the agency called “dark markets” -- the underbelly of the internet where illegal drugs, weapons, hacking tools, and malware are sold. To get to those people, the DOJ will use the expertise of the Criminal Division to “deter, disrupt, investigate, and prosecute criminal misuse of cryptocurrency, as well as to recover the illicit proceeds of those crimes whenever possible.”

Because those dark markets and bad actors are difficult to find and bring to justice, the NCET said it will foster the development of a higher level of expertise in cryptocurrency and blockchain technologies across all aspects of the Department’s work. 

The DOJ said it isn’t just doing this on a national scale. The new group said it will be providing support to international, federal, state, local, tribal, and territorial law enforcement authorities that are grappling with these new technologies and new forms of criminal tradecraft.

Twitch -- Amazon’s streaming service that’s focused on live video game broadcasts -- has experienced a massive data breach. The hacker responsible for the act says they have taken all the information they found on Twitch, including source code and user payout data, and leaked it online.

The anonymous hacker went further, posting a link to its bounty to 4chan on Wednesday and stating that their reason for leaking their stolen goods was to “foster more disruption and competition in the online video streaming space” because Twitch’s “community is a disgusting toxic cesspool.”

VideoGamesConsole (VGC), which first reported the hack, verified the leak as legitimate and that the files mentioned on 4chan are publicly available to download.

What to do

VGC advises anyone who uses Twitch to change their password and turn on two-factor authentication immediately. To change your password on Twitch, users can do the following::

• Go to Twitch and log on with your existing username and password.

• Click on your avatar in the top-right corner and choose Settings.

• Go to the Security and Privacy option, locate the option that says “change password,” and complete the prompts to do so. 

VGC recommends that users opt for a longer password when making the change because they tend to be safer. Adding both uppercase and lowercase characters, numbers, and a special symbol or two (like $ or &) can make them even stronger.

Google has put 2 billion Chrome users on high alert that its browser has suffered “zero-day” exploits that “exist in the wild” and affect Apple, Linux, and Windows systems. This is the ninth such attack so far this year.

In order to buy itself some extra time so users can upgrade to a safer version of Chrome, Google’s Srinivas Sista said the company is limiting access to bug details and links “until a majority of users are updated with a fix.” 

What Chrome users need to do ASAP

To get ahead of the situation for the short term, Google has released a critical update. Gordon Kelly, a Consumer Tech specialist at Forbes, says the company tends to roll out updates in a staggered fashion, so not everyone will get the notice at the same time. 

To check if you are protected, you can take these steps:

• Click on the vertical three-dot icon in the upper right-hand part of your Chrome browser.

• Then, go to Settings > Help > About Google Chrome.

• If your Chrome version is 94.0.4606.71 or higher, then consider yourself safe. If your version is below that number, make it a point to check at least once a day to see if there’s an upgrade.

• If the update is not yet available for your browser, check regularly for the new version.

Are there safer browsers than Chrome?

One of the reasons many people use Chrome is because the integration between Google Docs, YouTube, Google Drive, Google Calendar, G-Mail, their Android devices, etc. makes things easier. But cybersecurity watcher Zak Doffman says Google’s latest issue should give users some serious pause.

“If you’re one of those users, this nasty new surprise just gave you a reason to quit,” he wrote following the announcement of the latest Chrome issue.

Do consumers have other decent choices? Doffman says yes. There’s Apple’s Safari, DuckDuckGo, Mozilla Firefox, and a fairly new browser called Brave. Each of those browsers tries to upset Google’s apple cart by placing an extra emphasis on privacy. In Brave’s case, it automatically blocks both ads and website trackers as part of its default settings. 

Even though Google announced it was phasing out third-party tracking cookies in its Chrome browser earlier this year, Doffman is still championing a different browser. 

“While it’s Firefox, DuckDuckGo and Brave that most vocally push the browser privacy agenda, it’s really Safari that has done the best job of exposing Chrome’s avaricious data harvesting machine at scale,” he wrote.

Even though much of Apple’s recent press has been about its new iPhones, Doffman says the company’s recent Safari update is a “genuine game changer” for privacy and security because of the addition of a new privacy weapon called Private Relay. 

“Put simply, this breaks the identity chain between you, the websites you visit and the ISP through which you access the internet,” he explained.

Neiman Marcus has alerted customers that a data breach last year may have exposed the payment records of 4.6 million customers.

The personal information for affected customers may have included names and contact information; payment card numbers and expiration dates but without CVV numbers; Neiman Marcus virtual gift card numbers without PINs; and usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts. 

The company said it has alerted law enforcement and retained the services of a cybersecurity firm to investigate. The preliminary investigation shows that around 3.1 million payment and virtual gift cards were exposed, but the vast majority -- more than 85% -- were expired. 

The company said no active Neiman Marcus-branded credit cards were exposed and that there is no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.

"At Neiman Marcus Group (NMG), customers are our top priority," said Geoffroy van Raemdonck, the company’s CEO. "We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information."

Incident occurred 17 months ago

The breach is believed to have occurred in May 2020, but the company only learned of it in recent days. Once it was aware that payment records had been exposed, the company said it began steps to protect customers.

The company required an online account password reset for affected customers who had not changed their password since May 2020. It also set up a call center to answer customers’ questions. The number is (866) 571-9725, and it is open Monday through Friday, 8 a.m. to 10 p.m. CST; Saturday and Sunday, 10 a.m. to 7 p.m. CST. Callers should be prepared to provide engagement number B019206. There’s also a webpage that provides additional information.

Cyberattacks on corporate entities have become more common in the last five years. Corporations are major targets for hackers. Earlier this year, a ransomware attack shut down a major gasoline pipeline.

A team of security researchers has uncovered a new hack that could allow bad actors to make unauthorized charges through victims’ iPhones. 

In a demonstration to the BBC, researchers from the Computer Science departments of Birmingham and Surrey Universities in the U.K. showed how cyber thieves can exploit a feature in Apple Pay that could leverage unauthorized contactless payments. According to the researchers, the problem lies in how Visa cards are set up in “Express Transit” mode in an iPhone's wallet. 

Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without having to unlock their phone. It’s similar to how a commuter might pay for a ride on New York City’s MTA, Los Angeles’ TAP, or Chicago’s CTA. 

How it works

In the demo, researchers showed how easy it was for them to make a Visa payment of £1,000 [$13,460 USD] without unlocking the phone or authorizing the payment. 

All a hacker has to do is set up a commercially available piece of radio equipment near where the iPhone might be used to make a payment, such as a retail store. The hacker can then trick the iPhone into thinking it’s dealing with a legitimate point-of-contact. 

The scary thing is that the crook’s phone and the payment terminal that’s being used don't need to be anywhere near the victim's iPhone. "It can be on another continent from the iPhone as long as there's an internet connection," said Dr. Ioana Boureanu of the University of Surrey.

Apple and Visa aren’t worried...yet

While the researchers may think the incursion is a real possibility, neither Apple nor Visa are sweating it quite yet. According to the BBC, Apple said the matter was "a concern with a Visa system.” Visa said its payments were secure and attacks of this type were impractical outside of a lab.

Visa told the BBC that it took all security threats seriously, but it says this isn’t something that consumers should worry about. 

"Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” the company said. "Variations of contactless fraud schemes have been studied in laboratory settings for more than a decade and have proven to be impractical to execute at scale in the real world".

Protecting yourself

Regardless of whether this particular threat is viable, there are things consumers can do to lessen the chances of being victimized by a hacker trying to create unauthorized payments. First off, if you lose your phone, you can use Apple's iCloud to block Apple Pay or wipe the phone. You can also alert Visa and block any future payments.

"In the unlikely event that an unauthorised payment does occur, Visa has made it clear that their cardholders are protected by Visa's zero liability policy,” Apple said.

Android phone owners got an unpleasant surprise on Tuesday. Researchers at mobile security company Zimperium reported the discovery of a piece of malware called “GriftHorse” -- a trojan that’s been unleashed on more than 10 million Android devices in 70+ countries. 

This isn’t your ordinary household malware. Its mission is to sucker users into permissions that allow the cybercrooks to force monthly premium service charges. Business is good, too. So far, researchers estimate that the GriftHorse mob is making between $1.5 million to $4 million per month.

Where trouble ensues

Zimperium’s zLabs team said the malware is delivered to consumers by malicious Android apps that appear harmless at first. However, chaos ensues after the apps hoodwink users into granting certain permissions. At that point, victims start getting charged every month for premium paid services that they get subscribed to without their knowledge or consent. 

“Upon infection, the victim is bombarded with alerts on the screen letting them know they had won a prize and needed to claim it immediately. These pop ups reappear no less than five times per hour until the application user successfully accepts the offer. Upon accepting the invitation for the prize, the malware redirects the victim to a geo-specific webpage where they are asked to submit their phone numbers for verification,” Zimperium’s Aazim Yaswant and Nipun Gupta explained.

“But in reality, they are submitting their phone number to a premium SMS service that would start charging their phone bill over €30 [$40 USD] per month. The victim does not immediately notice the impact of the theft, and the likelihood of it continuing for months before detection is high, with little to no recourse to get one’s money back.”

Zimperium warned Google about the threat, and the company responded by verifying and removing the malware apps from its Play Store. However, the malicious applications might still be available on unsecured third-party app repositories or on an Android user’s phone. To help users identify the problem-causing apps, Zimperium offers a full list of the affected apps here.

Microsoft has issued a security alert to Windows users, warning that hackers have found and are currently exploiting a vulnerability in the operating system.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows,” the company reported. “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

The company said the hackers were likely to target victims through their use of Office documents. If users open a malicious document, they’ll end up with malware on their system.

The best way to protect yourself is to make sure your antivirus software is up to date. Microsoft said Microsoft Defender Antivirus and Microsoft Defender for Endpoint can effectively detect the vulnerability. Meanwhile, the company said it is investigating the source.

Investigation underway

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company said. “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Krebs on Security, an authoritative security blog, reports Microsoft has not yet released a patch for the flaw, but it says users can mitigate the threat by disabling the installation of all ActiveX controls in Internet Explorer. Krebs says the vulnerability is currently being used in targeted attacks on both PCs and servers.

An FBI terrorist watchlist containing 1.9 million records mistakenly found its way onto the internet unguarded, allowing anyone and everyone to view it.

Volodymyr "Bob" Diachenko, Comparitech’s Head of Security Research, is the person who first stumbled onto the treasure trove. In sharing the details of his find, he said the watchlist came from the Terrorist Screening Center (TSC), a multi-agency group administered by the FBI -- the same agency that’s in charge of the U.S.’ no-fly list. 

Stopped in its tracks

Donning his white hat, Diachenko said he immediately reported the leak to Department of Homeland Security (DHS) officials before he went any further. He said DHS acknowledged the incident and thanked him for his efforts. However, the agency did not provide any further official comment.

Diachenko said a typical record in the list contained these details:

• Full name

• TSC watchlist ID

• Citizenship

• Gender

• Date of birth

• Passport number

• Country of issuance

• No-fly indicator

The name alone -- terrorist watchlist -- sounds ominous, and it is. According to PCMag’s investigation of the situation, the list consists of people who are suspected of terrorism but who have not necessarily been charged with any crime yet. 

“In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families. It could cause any number of personal and professional problems for innocent people whose names are included in the list,” reported Matthew Humphries.

One of those "personal problems" made headlines in 2017 when consumers misidentified as terrorists won a $60 million verdict against TransUnion when it misidentified them in their credit reports as terrorists and drug traffickers. 

Could this happen to you?

The no-fly list has proven to be a double-edged sword. While the FBI can justify its reasons, the American Civil Liberties Union (ACLU) has long found fault with the list because people placed on it aren’t always notified. 

Could something like this happen to anyone? The short answer is yes. As an example, infants have been prevented from boarding planes at airports across the U.S. because their names happened to be the same as, or similar to, those of possible terrorists on the government's ''no-fly list."

The ACLU says both U.S. citizens and “lawful permanent residents” have rights that the DHS and TSC are supposed to review before any action is taken. The ACLU offers tips to anyone who is mistakenly caught in the no-fly snare. A complete list of dos and don’ts is available here.

There’s barely a week that goes by without a high-profile cybersecurity incident. Not only do these scourges affect everyday life for businesses, but consumers are also impacted as hackers go after any amount of personal data they can access.

In a face-to-face meeting with President Biden on Wednesday, Big Tech stalwarts Amazon, Apple, Google, IBM, and Microsoft all agreed to write big, fat checks to help the nation as a whole address the rising tide of cybersecurity threats. The companies also plan to address the ever-widening abyss of high-growth jobs in the tech sector. 

Spending billions to shore up cybersecurity

Here’s what Big Tech told President Biden they’ll commit to:

Google says it’s good for $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance security. The company also promised to assist 100,000 Americans in earning industry-recognized digital skills certificates. 

Apple announced that it will create a new program -- one that includes more than 9,000 U.S. suppliers -- to drive continuous security improvements throughout the technology supply chain. 

Another plus for tech education came from IBM, which announced that it will train 150,000 people in cybersecurity skills over the next three years. The company will place a special focus on historically Black colleges and universities to create “Cybersecurity Leadership Centers” in an effort to grow a more diverse cyber workforce.

Microsoft -- which has been on the wrong end of some serious hacks this year -- announced that it will invest $20 billion between now and 2026 to up the ante on cybersecurity both by design and in delivery throughout its systems. To prime the pump, the company said it will immediately make available $150 million in technical services to help federal, state, and local governments upgrade their current security protection. It will also invest heavily in tech training by expanding partnerships with community colleges and non-profits.

For its part, Amazon said it will make the same security awareness training it offers its employees freely available. It also plans to offer a free multi-factor authentication device to protect against cybersecurity threats like phishing and password theft to all of its Amazon Web Services account holders. Those account holders include companies like Facebook, Netflix, Adobe, ESPN, Ticketmaster, Samsung, and Disney.

Increasing tech education and jobs

One huge challenge facing these Big Tech companies is that nearly half a million cybersecurity jobs remain unfilled. A spokesperson at the Computing Technology Industry Association (CompTIA) told ConsumerAffairs that, as of this week, it was tracking 454,366 job ads for cybersecurity in the U.S. -- 13% more than the year before.

The education effort isn’t being carried solely by Big Tech. To get people trained quickly, colleges and organizations are investing heavily in “micro-credentialing” and training that doesn’t call for a four-year college degree. To that end, Girls Who Code announced that it will establish a micro-credentialing program for historically excluded groups.

The University of Texas System told the White House it will make available entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute to help grow new short-term credentials in cyber-related fields by more than 1 million workers.

“To meet the scale of the demand for cybersecurity skills, we need to be considering creative alternatives to the classic college pathway into the profession. The majority of cyber jobs don’t require a four-years computer science degree,” Todd Thibodeaux, president and CEO at CompTIA, told ConsumerAffairs.

“We can have people come through community college programs, through for-profit university programs, through online university programs, through paid apprenticeships and through industry certification programs that can be completed in a matter of months to accelerate this process.”

If there’s any doubt that a tech education can pay off, recent data shows that tech professionals in 9 of the 10 top-paying U.S. states make over 70% more than the average worker. Life as a techie in places like Alabama pays off especially well. The average salary for someone in technology in Alabama is $86,720 a year -- 85% higher than the $46,840 that salary workers in other fields in the state bring home.

According to researchers, an estimated 38 million records from more than 1,000 apps that use Microsoft's Power Apps portals platform have been exposed. Those records are not only jam-packed with the typical personal data like phone numbers and addresses, but it also includes data from COVID-19 contact tracing efforts, vaccine registrations, and employee databases.

The security leak also reportedly exposed data from large companies and agencies alike, including Ford, American Airlines, logistics company JB Hunt, the Indiana Department of Health, and New York City public schools, according to Wired magazine. 

Caught in the nick of time

Research analysts from security risk platform company UpGuard first uncovered the issue in May when they found unprotected data from several Microsoft Power Apps portals online.

After investigating the matter further, UpGuard sent a vulnerability report to Microsoft in late June. The researchers showed what specific pieces of data were accessible and made suggestions about what Microsoft could do to disable anonymous access to it. 

By mid-July, Microsoft said it had the situation under control and that most of the data from the Power Apps portals had been made private.

Indiana consumers luck out 

In the Indiana Department of Health’s (IDOH) situation alone, there were nearly 750,000 Hoosiers whose data from the state’s COVID-19 online contact tracing survey was accessed. The information supposedly included names, addresses, emails, genders, ethnicities and races, and dates of birth.

While that might seem dire, those people were actually pretty lucky. According to an announcement made by the state, it was able to get the company that accessed the data to sign a “certificate of destruction.” The agreement confirms that the data was not released to any other entity and was destroyed by the company.

“We believe the risk to Hoosiers whose information was accessed is low. We do not collect Social Security information as a part of our contact tracing program, and no medical information was obtained,” said State Health Commissioner Kris Box, M.D., FACOG. “We will provide appropriate protections for anyone impacted.”

T-Mobile said Friday that the data breach it disclosed earlier this week affected significantly more people than initially believed. 

In a filing with the Securities and Exchange Commission, the carrier said an additional 5.3 postpaid accounts and 850,000 active T-Mobile prepaid accounts were affected. This brings the total number of affected consumers to more than 54 million. 

On Wednesday, the company confirmed that hackers were able to access data on 7.8 million of its postpaid customers, along with the records of 40 million former and prospective customers. 

Information stolen included customers’ first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. In its latest filing with the SEC, the carrier said phone numbers and IMEI and IMSI details (identifiers for mobile devices and SIM cards respectively) were also compromised.

Mitigating the impact

T-Mobile maintained that it has "no indication" that affected customers’ financial details were exposed. The company said its investigation into the breach is ongoing, and more details will be provided as they’re uncovered. 

T-Mobile emphasized that it’s "confident” that it has successfully “closed off the access and egress points the bad actor used in the attack.” 

The company said it has notified affected account holders and taken steps to safeguard accounts. Customers who think they may have been affected are being offered two years of identity protection services. 

Although no accounts PINs were compromised, T-Mobile has recommended that all postpaid customers proactively change their PIN by going online into their T-Mobile account or calling the Customer Care team by dialing 611 on their phone.

T-Mobile says its investigation of a breach of its network shows that hackers were able to access data on 7.8 million of its postpaid customers, along with the records of 40 million former and prospective customers.

“We were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals,” the company said in a statement. “We also began coordination with law enforcement as our forensic investigation continued. While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.”

The company said the access point used by the hacker was located and closed. It said no financial or credit card information was compromised. However, officials confirmed that hackers apparently stole customers’ first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. In short, criminals obtained the information needed to steal customers’ identities.

T-Mobile offers assistance to compromised customers

T-Mobile said it is taking the following steps to support customers whose data may have been compromised:

• Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.

• Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling the Customer Care team by dialing 611 on their phone. This precaution is being taken despite the fact that we have no knowledge that any postpaid account PINs were compromised.

• Offering an extra step to protect mobile accounts with Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.

• Publishing a unique web page later on Wednesday for one-stop information and solutions to help customers take steps to further protect themselves. 

T-Mobile said it was also able to confirm that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were compromised in the breach. 

“We have already proactively reset all of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away,” T-Mobile said. “No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.”

Other steps consumers can take

T-Mobile customers affected by the breach may also take other steps to prevent identity theft. The first step should be placing a freeze on credit reports maintained by Experian, Equifax, and Transunion.

The freeze should be placed with all three companies. Someone using a stolen Social Security number will not be able to open new credit accounts as long as the freeze is in place. Fortunately, the process has gotten less complicated over the years. Here are the links to freeze credit information at the three companies:

• Equifax

• Experian

• TransUnion

Freezing credit reports prevents a criminal from opening a credit account in your name, but it prevents you from doing so as well. All three credit agencies make it possible to establish a PIN or password so that your credit can be unfrozen when you are applying for a loan or credit account.

Cryptocurrency platform Poly Network has offered a job to the hacker who stole nearly $600 million in cryptocurrency tokens from it.

A hacker known as “The White Hat” recently made off with a massive amount of crypto, only to later return most of it. The perpetrator claimed that they stole the funds “for fun” and that it was “always the plan” to return the assets. However, some speculated that the hacker either feared legal consequences or realized how difficult it would be to launder such a large amount of stolen crypto. 

Poly Network has since invited the hacker to become an advisor to the firm. It has also promised a $500,000 “bug bounty” reward in exchange for providing the password needed to retrieve more than $200 million in stolen funds. 

In a message embedded in a transaction last week, an anonymous person claiming to be the perpetrator said they would "PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY,” but that hasn’t happened yet. 

Retrieving the remaining funds

On Monday, the hacker said they were “considering taking the bounty as a bonus for public hackers if they can hack the Poly Network.” Poly Network said its offer of a $500,000 reward to “Mr. White Hat'' is still on the table. It also said the hacker could have a role as its “chief security advisor.” 

“To extend our thanks and encourage Mr. White Hat to continue contributing to security advancement in the blockchain world together with Poly Network, we cordially invite Mr. White Hat to be the Chief Security Advisor of Poly Network,” the firm said in a statement.

The platform said it has no plans to levy legal charges against Mr. White Hat. On the contrary, it plans to use what it’s learned from the attack to bolster its security measures. The firm said Tuesday that it hopes to implement a “significant system upgrade” to prevent future incidents. However, it says it can’t do so until the remaining funds are returned. 

Computers owned by Memorial Health System were hit by an attack from the Hive ransomware group on Sunday, causing a system outage. Memorial Health announced that it suffered “an information technology security incident in the early morning hours this morning, August 15, 2021.” 

“As a result, we suspended user access to information technology applications related to our operations,” the non-profit health system said in a statement. 

The company is still struggling to get operations back to normal. In the meantime, medical personnel have been forced to rely on paper records and cancel radiology exams and non-urgent surgical cases. The organization said it didn’t believe patient records were stolen in the attack. 

"At this time no known patient or employee personal or financial information has been compromised," said Memorial Health System president and CEO Scott Cantley. "We are continuing to work with IT security experts to methodically investigate to precisely understand what happened and are taking the appropriate actions to resolve any and all issues."

Hive ransomware group

Memorial Health System represents 64 clinics, including the Marietta Memorial, Selby General, and Sistersville General hospitals in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio. 

The party that carried out the attack is allegedly the Hive ransomware gang, a group that began targeting businesses this summer. Although Memorial Health officials said they didn’t believe any information was compromised, Hive typically links to data stolen from its victims. 

“Like most ransomware gangs, Hive has a leak site called HiveLeaks and hosted on the dark web, where they published links to data stolen from almost two dozen victims that did not pay the ransom,” reported Bleeping Computer. “Most of the businesses listed on the leak site appear to be small to medium sized, many having around or less than 100 employees.”

Apple has released new details about its plan to scan consumers’ devices for evidence of child sexual abuse material (CSAM). Following criticism of the idea, Apple now says it will only flag images that have been supplied by clearinghouses in multiple countries. 

Ten days ago, Apple first announced its plan to monitor images stored on iCloud Photos to search for matches of previously identified CSAM. Once Apple’s technology finds a match, a human will review the image. If that person confirms that the image qualifies as CSAM, the National Center for Missing and Exploited Children (NCMEC) would be notified and the user's account would be immediately disabled. 

Apple said its main goal in employing the technology is to protect children from predators. However, critics were concerned that the tech could be exploited by authoritarian governments or used by malicious parties to open a “backdoor” for wider surveillance. 

“While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products,” security and tech privacy advocates said in a letter pushing for Apple to rescind its plan. 

New details 

In an effort to ease privacy fears, Apple now says it will tune the system so that it will only flag images supplied by clearinghouses in multiple countries -- not just by the U.S. National Center for Missing and Exploited Children (NCMEC), as announced earlier.

Additionally, only cases where users had about 30 or more potentially illicit pictures will be flagged for human review. If proven legitimate, authorities will be notified about the presence of CSAM in a person’s iCloud library. 

“We expect to choose an initial match threshold of 30 images,” Apple said in a Security Threat Model Review published Friday.

“Since this initial threshold contains a drastic safety margin reflecting a worst-case assumption about real-world performance, we may change the threshold after continued empirical evaluation of NeuralHash false positive rates – but the match threshold will never be lower than what is required to produce a one-in-one trillion false positive rate for any given account.”

Privacy concerns still present

Privacy advocates have argued that there’s no tweak that would render Apple’s CSAM surveillance system completely safe from exploitation or abuse. 

“Any system that allows surveillance fundamentally weakens the promises of encryption,” the Electronic Frontier Foundation’s Erica Portnoy said Friday. “No amount of third-party auditability will prevent an authoritarian government from requiring their own database to be added to the system.”

Apple has maintained that the technology will not scan users’ iCloud updates for anything other than CSAM material. Any government requests to “add non-CSAM images to the hash list” would be rejected, the company added. 

T-Mobile says it is investigating a hacker’s claim that they breached the carrier’s network and stole personal data on all 100 million of the its U.S. customers.

Motherboard, a tech site, reported over the weekend that a hacker boasted on a forum that they had gained access to data from T-Mobile servers and that the information is for sale. The dataset reportedly includes names, addresses, phone numbers, and Social Security numbers.

The hacker told Motherboard that the information was obtained through a breach of T-Mobile’s network, and Motherboard said it verified that some of the data it reviewed was related to T-Mobile customers. 

T-Mobile confirms it is investigating

On Sunday, T-Mobile confirmed that it has launched an investigation to determine whether the report is accurate. 

"We are aware of claims made in an underground forum and have been actively investigating their validity,” T-Mobile said in a brief statement to Motherboard. “We do not have any additional information to share at this time." 

Motherboard quotes the hacker as saying T-Mobile is apparently aware of the breach because the hacker can no longer gain access to the servers. In the meantime, the hacker is reportedly selling about 30 million Social Security and driver’s license numbers for six bitcoins, or about $270,000. 

What to do

T-Mobile customers should take steps to prevent identity theft if their personal information is obtained by other criminals. The first step should be placing a freeze on credit reports maintained by Experian, Equifax, and Transunion.

The freeze should be placed with all three companies. Someone using a stolen Social Security number will not be able to open new credit accounts as long as the freeze is in place. Fortunately, the process has gotten less complicated over the years. Here are the links to freeze credit information at the three companies:

• Equifax

• Experian

• TransUnion

Freezing credit reports prevents a criminal from opening a credit account in your name, but it prevents you from doing so as well. All three credit agencies make it possible to establish a PIN or password so that credit can be unfrozen when you are applying for a loan or credit account.

An as-yet-unidentified hacker has returned nearly all of the $600 million stolen by exploiting a vulnerability in the cryptocurrency platform Poly Network. The firm cited the anonymous person claiming to be the perpetrator as saying they were “ready to return” the rest of the stolen digital currency. 

Almost all of the funds have been returned to three digital currency wallets, but $268 million in assets is currently locked in an account that requires passwords from both Poly Network and the hacker. 

“It’s likely that keys held by both Poly Network and the hacker would be required to move the funds — so the hacker could still make these funds inaccessible if they chose to,” Tom Robinson, chief scientist of blockchain analytics firm Elliptic, said in a blogpost Friday.

In a message embedded in the transaction, the hacker said they would "PROVIDE THE FINAL KEY WHEN _EVERYONE_ IS READY.”

Motivation unclear

At this point, it’s still unclear why the hacker decided to return the funds. Some analysts believe the move was motivated by the fact that it’s challenging to launder and cash out large amounts of stolen cryptocurrency. 

“I think this demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics,” Robinson told CNBC earlier this week. “In this case the hacker concluded that the safest option was just to return the stolen assets.”

Others have speculated that the hacker was afraid of being exposed and facing legal consequences. The identity of the hacker, who is known as “White Hat,” has yet to be uncovered. However, cybersecurity researchers say the individual left behind numerous “digital breadcrumbs” on the blockchain that could be traced by law enforcement.

According to CNBC, the hacker claimed in a message that they stole the funds “for fun” and that it was “always the plan” to return the funds. Poly Network has described the hack as “the biggest in defi history.” 

NortonLifeLock and Avast have announced that they’ll be merging to create a larger cybersecurity company. The deal will be worth between $8.1 billion and $8.6 billion, the companies said Tuesday. 

“With this combination, we can strengthen our cyber safety platform and make it available to more than 500 million users,” says Vincent Pilette, NortonLifeLock CEO. “We will also have the ability to further accelerate innovation to transform cyber safety.”

Once the merger is completed, the firm will likely release antivirus products that encompass the benefits of Avast’s focus on privacy and NortonLifeLock’s experience in identity. 

Joining forces

The merger comes at a time of heightened focus on cybersecurity. Ransomware attacks on large companies and infrastructure firms have received attention lately, in terms of both size and frequency. High-profile cases have underscored the need for software effective in guarding against hackers. 

The CEOs of both companies acknowledged the rise in damaging cyberattacks during the coronavirus pandemic and said partnering would help create products that give consumers and businesses peace of mind. 

“The bad guys have been really, really busy taking advantage of the situation created by Covid-19,” said Avast CEO Ondrej Vlcek, who will become president of the combined company. “The massive increase in attacks has been against everyone -- enterprises, small businesses and consumers. Now is the time to join forces and accelerate the transformation of the entire cybersecurity space.”

On Wednesday, a group of hackers began returning some of the cryptocurrency funds they stole by exploiting a vulnerability in Poly Network, a cryptocurrency platform that facilitates peer-to-peer transactions. 

The hackers recently stole just over $600 million in digital tokens in a cryptocurrency heist that is being regarded as one of the largest in history. Poly Network disclosed the hack on Tuesday and urged the bad actors to “return the hacked assets.” The platform said it planned to take legal action. 

“The amount of money you hacked is the biggest in defi history,” Poly Network said in a tweet. “We will take legal actions and we urge the hackers to return the assets.”

Laundering cryptocurrency is difficult

By Wednesday morning, the hackers had returned around $4.8 million in tokens. A few hours later, about $258 million had been returned. Experts say the hackers may have been motivated not only by Poly’s plea, but by the challenge of laundering stolen crypto on such a large scale. 

“I think this demonstrates that even if you can steal cryptoassets, laundering them and cashing out is extremely difficult, due to the transparency of the blockchain and the use of blockchain analytics,” Tom Robinson, chief scientist of blockchain analytics firm Elliptic, told CNBC. “In this case the hacker concluded that the safest option was just to return the stolen assets.”

In an open letter to Apple, thousands of security and tech privacy advocates pushed back against Apple’s plan to scan iPhones for images of child sexual abuse. 

Apple recently announced a plan to use technology capable of searching for matches of “Child Sexual Abuse Material (CSAM)” in images stored on iCloud. The company claimed the accuracy of its system “ensures less than a one in one trillion chance per year of incorrectly flagging a given account.” 

But as of Monday evening, nearly three dozen organizations and over 6,600 individuals (ranging from cryptographers and researchers to security and legal experts) had signed the open letter urging Apple not to go through with its plan to use the tech.

Critics cite privacy risks 

Apple said last week that it’s main goal in employing the system was to “protect children from predators.” The company said user privacy would be kept at the forefront. 

“Instead of scanning images in the cloud, the system performs on-device matching using a database of known CSAM image hashes provided by NCMEC and other child safety organizations,” Apple said in a statement announcing the new policy. “Apple further transforms this database into an unreadable set of hashes that is securely stored on users’ devices.”

However, critics argue that the system could be exploited by authoritarian governments or even make it possible for malicious parties to open a “backdoor” for wider surveillance. 

“While child exploitation is a serious problem, and while efforts to combat it are almost unquestionably well-intentioned, Apple's proposal introduces a backdoor that threatens to undermine fundamental privacy protections for all users of Apple products,” the letter reads.

The signatories request that Apple table its proposed policy and issue a statement “reaffirming their commitment to end-to-end encryption and user privacy.”

“Apple's current path threatens to undermine decades of work by technologists, academics and policy advocates towards strong privacy-preserving measures being the norm across a majority of consumer electronic devices and use cases,” the letter said. “We ask that Apple reconsider its technology rollout, lest it undo that important work.”

Apple says that it plans to scan iPhones for images of child sexual abuse. The plan received a warm welcome from child protection groups but caused concern with security researchers who worry that Apple’s intention could be exploited by authoritarian governments wanting to play Big Brother and spy on their citizens.

The technology Apple is employing will monitor images stored on iCloud Photos, searching for matches of previously identified “Child Sexual Abuse Material (CSAM),” the new, preferred term over “child pornography.” The company claims its system is so accurate that it “ensures less than a one in one trillion chance per year of incorrectly flagging a given account.” 

When the system lands on a match, a human will review the image. If that person confirms that the image qualifies as CSAM, the National Center for Missing and Exploited Children (NCMEC) will be notified and the user's account will be immediately disabled. 

Apple said forthcoming versions of iOS and iPadOS set for release later this year will contain "new applications of cryptography to help limit the spread of CSAM online, while designing for user privacy." Even though most Apple users don’t give much thought to cryptography, Apple already applies it, mostly in Safari, to regularly check derivations of a user’s passwords against a publicly available list of breached passwords to keep their account safe and secure.

A Herculean effort and a game-changer

Apple is looking at a monumental task. The NCMEC views over 25 million images a year, and the U.S. is one of the largest producers of these types of images and videos. 

In its analysis, the Canadian Centre for Child Protection stated that 67% of child sexual abuse material survivors are impacted much differently by the distribution of their images than they are by hands-on abuse. 

“The reason for this is tragic; distribution goes on perpetuity, and these images are permanent when they are constantly re-shared,” said Gina Cristiano of ADF Solutions, a mobile and digital forensics company.

"Apple's expanded protection for children is a game changer," said John Clark, the president and CEO of the National Center for Missing and Exploited Children. "With so many people using Apple products, these new safety measures have lifesaving potential for children."

“This will break the dam”

Despite Apple’s good intentions, some privacy experts are concerned that the company is crossing a line.

One of those -- Matthew Green, a cryptography researcher at Johns Hopkins University -- raised concerns that Apple’s system could be deployed to frame innocent people simply by sending the person otherwise innocuous images, but ones created to prompt a match for child pornography, outwit Apple's algorithm, and alert law enforcement. 

"Researchers have been able to do this pretty easily," Green said. "Regardless of what Apple's long term plans are, they've sent a very clear signal. In their (very influential) opinion, it is safe to build systems that scan users' phones for prohibited content," Green said.

Green says this decision could also prompt governments to ask for all sorts of information about their citizens.

"Whether they turn out to be right or wrong on that point hardly matters. This will break the dam — governments will demand it from everyone,” he said. "What happens when the Chinese government says, 'Here is a list of files that we want you to scan for?'" Green asked. "Does Apple say no? I hope they say no, but their technology won't say no."

A new Android-based malware has been found that uses screen recording features to log in and ultimately steal sensitive information from targeted devices.

The malware, dubbed “Vultur” by researchers at Amsterdam-based security firm ThreatFabric, was reportedly distributed through the Google Play Store. It was disguised as an app called “Protection Guard,” which garnered over 5,000 installations. The primary targets were banking and crypto-wallet apps from entities located in Italy, Australia, and Spain.

The researchers said they found that the remote access trojan (RAT) worked by taking advantage of accessibility permissions to capture keystrokes. It leveraged screen recording features to log all activities on the targeted device, enabling it to steal banking credentials and more.

Abuses accessibility services

When Vultur is first installed, it abuses accessibility services built into the mobile operating system in order to obtain the required permissions. It does so by borrowing an overlay from other malware families. After that, it goes to work monitoring all requests that trigger the accessibility services. 

"For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way," researchers from ThreatFabric said.

The researchers said the tactics employed by the bad actors behind Vultur are a deviation from “the common HTML overlay development we usually see in other Android banking Trojans,” which tends to be a more time consuming way to siphon information.

“Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result,” the team wrote. 

"The story of Vultur shows one more time how actors shift from using rented Trojans (MaaS) that are sold on underground markets towards proprietary/private malware tailored to the needs of this group," the researchers concluded. "These attacks are scalable and automated since the actions to perform fraud can be scripted on the malware backend and sent in the form of commands sequence, making it easy for the actor(s) to hit-and-run."

Apple users are being urged to immediately install an update on their devices to avoid a nasty exploit that could lead to a malicious malware infection.

Thanks to a tip-off from an anonymous researcher, Apple has issued a security update for Mac, iPhone, and iPad users -- iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1. The company says the update will repair a memory corruption issue that has been proven to allow a malicious app to "execute arbitrary code with kernel privileges." 

That explanation sounds a bit technical, but the company has made it known that the exploit is serious and running rampant.

How to do the update

Some Apple users have likely already received a pop-up notice signaling that an automatic update will be installed later on Tuesday. For those who’d rather not wait, the update process is simple.

For iPhone and iPad users:

1. Update your iOS or iPadOS device by navigating to Settings > General > Software Update. 

2. After that, tap "Download and Install" and the security update will be downloaded and applied.

After that, you should be protected from the malware. 

For Mac users:

1. Open the Apple menu

2. Select System Preferences

3. Click Software Update

4. Then click "Update Now," which will download the latest update and patch your system.

At that point, you should be good to go.

Microsoft sent out an important heads-up to its customers on Friday to warn about malware that’s targeting Windows-based computer systems. This specific threat comes from LemonDuck, a crypto-mining malware that reportedly begins with a single infection and then spreads quickly across a computer network. If left unchecked, it can turn every resource from USB devices to emails into cryptocurrency mining slaves. 

Unfortunately, LemonDuck’s threat doesn’t stop with just Windows users. “It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices,” Microsoft 365’s Defender Threat Intelligence Team warned users in a blog post.

“And, it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.”

The Microsoft 365 team says it is taking this threat seriously because of LemonDuck’s ability to constantly evolve. While the malware is primarily known for its cryptocurrency mining objectives, it has the ability to morph and escalate its insurgence by stealing credentials, removing security controls, spreading via emails, and putting more tools in place to interact with human-operated activities.

Red flags

There’s not much a typical Windows (or Linux) user can do on a network-wide scale, but there are some things everyday users should be aware of if they want to avoid being turned into a LemonDuck victim.

The most important piece of advice is to be vigilant when it comes to emails. Microsoft researchers say LemonDuck’s standard email subjects and body content can include jarring phrases like “The Truth of COVID-19” or seemingly out-of-place phrases like “farewell letter” or “good bye.” 

The team says these phrases are usually meant to elicit a reaction and get you to click on something. When that happens, your device is then infected by the malware. While these words and phrases are one red flag to look out for, there are two other easy ones that you can usually spot right away: poor spelling and suspicious files. 

Spelling mistakes are a common component of many scam messages, so you should beware of any email that is littered with these errors. When it comes to files, Microsoft says many scam emails tend to use .doc, .js, or .zip files that usually have a title like “readme” to entice users into clicking on them. Just make sure you don’t.

Authorities from France warned Wednesday that Chinese hackers are using hacked home and office routers as part of a large and ongoing attack campaign. 

In an advisory, France’s National Agency for Information Systems Security (ANSSI) said a hacking group known as APT31 (sometimes known as Zirconium or Judgment Panda) is using compromised routers to target French organizations. 

“ANSSI is currently handling a large intrusion campaign impacting numerous French entities,” ANSSI warned. “Attacks are still ongoing and are led by an intrusion set publicly referred to as APT31. It appears from our investigations that the threat actor uses a network of compromised home routers as operational relay boxes in order to perform stealth reconnaissance as well as attacks.”

The advisory did not specify which organizations were targeted in the campaign, but ANSSI said around 160 IP addresses can be used to indicate whether an organization has been a target. 

More scrutiny over supposed China hacking

France joins other foreign governments in accusing Chinese state-backed hackers of malicious cyber activity. Earlier this week, the U.S. and its allies formally accused China of being responsible for the Microsoft Exchange Server hack that compromised the information of numerous organizations. Beijing denied the hacking charges. 

“The United States ganged up with its allies to make unwarranted accusations against Chinese cybersecurity,” said foreign ministry spokesman, Zhao Lijian. “This was made up out of thin air and confused right and wrong. It is purely a smear and suppression with political motives. China will never accept this.” 

Cybersecurity firm Bitdefender has discovered a new form of malware that gets installed through advertisements in search results. The company says the malware specifically targets Windows devices and is being used to steal passwords, install cryptocurrency miners, and deliver additional trojan malware. 

The researchers dubbed the new form of malware MosaicLoader because of “the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.” 

Defending yourself

Once delivered into a system via ads, the malware goes to work by downloading a variety of threats. Those threats include the malware Glupteba, which creates a backdoor onto infected systems and could allow bad actors to steal sensitive information. Links to the malware show up at the top of search results posing as cracked installers.

"The best way to defend against MosaicLoader is to avoid downloading cracked software from any source," the researchers said in a whitepaper accompanying the report. "Besides being against the law, cybercriminals look to target and exploit users searching for illegal software.” 

“We recommend always checking the source domain of every download to make sure that the files are legitimate and to keep your antimalware and other security solutions up to date,” the researchers added. 

The team noted that people working from home are more likely to be victims of the scheme because they are more likely to download cracked software. It’s believed that those behind the MosaicLoader operation are aiming to compromise as many Windows machines as possible, so it’s very important for consumers and businesses to take this threat seriously.

"From what we can tell, this new MosaicLoader attempts to infect as many devices as possible, likely to build up market share and then sell access to infected computers to other threat actors," Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. 

The European Union (E.U.) says any use of spyware to take advantage of what journalists are communicating on their electronic devices is not only improper but also ill-advised.

The reaction comes after reports by non-profit journalism group Forbidden Stories suggested that Israeli software had been leveraged to break into the smartphones of up to 50,000 journalists, government officials, and rights activists across the globe.

"What we could read so far -- and this has to be verified, but if it is the case -- it is completely unacceptable. Against any kind of rules we have in the European Union," European Commission President Ursula von der Leyen said during a trip to the Czech Republic. 

The Israeli spyware von der Leyen is referring to is called “Pegasus”, and it comes from NSO Group Technologies -- the same cybersecurity intelligence agency that was accused of hacking WhatsApp and installing spyware on users’ phones. Pegasus is especially dangerous because it can allegedly infect phones without a user ever having to click on something.

According to reports, an investigation of the hacked phone numbers revealed that journalists from Al Jazeera, CNN, The Financial Times, the Associated Press, The New York Times, The Wall Street Journal, Bloomberg News, and French newspaper Le Monde were targeted. Amnesty International says potential surveillance targets have also included heads of state, activists, and journalists, including Jamal Khashoggi’s family.

NSO denies involvement

In response, NSO says Forbidden Stories’ report is “full of wrong assumptions and uncorroborated theories.” While defending its own credibility, it did its best to discredit Forbidden Stories, questioning the reliability and interests of the group’s sources. 

“It seems like the ‘unidentified sources’ have supplied information that has no factual basis and are far from reality,” NSO said in a statement posted on its website.

NSO is taking the allegations seriously and says that they’re so outrageous that it's considering a defamation lawsuit. Furthermore, it claims that software like Pegasus is available to “anyone, anywhere, and anytime” and is part of the arsenal of software many governmental agencies and private companies already have in place. 

“We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts. NSO does not operate the system and has no visibility to the data,” the company stated.

“Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones. Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds.”

On Monday, the Biden Administration, along with governments in Europe and Asia, formally accused China of being behind a string of hacks and cyberattacks in recent months. 

In a coordinated announcement, the U.S. and its foreign allies accused China's Ministry of State Security of using "criminal contract hackers" to carry out malicious cyber activities with the intent of making a profit. The U.S. said China’s MSS used these contract hackers "to conduct unsanctioned cyber operations globally, including for their own personal profit."

"The United States has long been concerned about the People's Republic of China's irresponsible and destabilizing behavior in cyberspace," a senior U.S. administration official said. "Their operations include criminal activities, such as cyber-enabled extortion, crypto-jacking, and theft from victims around the world for financial gain.” 

Large ransom requests

Specifically, the governments blamed China for the hack of Microsoft’s Exchange email server software, which compromised tens of thousands of computers across the globe and gave hackers access to large amounts of sensitive data. 

E.U. policy chief Josep Borrell said in a statement that the hacking was "conducted from the territory of China for the purpose of intellectual property theft and espionage." U.K. Foreign Secretary Dominic Raab said China's actions represent "a reckless but familiar pattern of behavior” and that the Chinese government “must end this systematic cyber sabotage and can expect to be held account if it does not.” 

The U.S. official said China was also behind a ransomware attack against a U.S. target that involved a "large ransom request.” Ransom demands from China have been in the “millions of dollars,” the official added.

No sanctions announced

No punishments against China have been announced, but the U.S. said it has “raised its concerns” with Beijing. 

"The first important piece is the publicly calling out the pattern of irresponsible malicious cyber activity, and doing it with allies and partners,” the official said, adding that the U.S. is "not ruling out further actions to hold (China) accountable."

Separately, four Chinese nationals and residents of China were indicted Monday over "a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018."

What would our lives be like if Facebook, Twitter, TikTok, and Instagram had never come on the scene? How much time have we given away to our devices that we’ll never get back? How much of our personal data -- where we live, who our friends are, what we eat and drink, what teams we root for, and where we work -- have we given away to data collectors and hackers?

In a new survey from Grand Canyon University, 1,162 people were asked about their opinions on social media data privacy and confessed that while social media often brings them together, it also has some negative side effects. 

The findings

The respondents were asked to assess how safe they feel their data is on social media sites, which social media platforms they trust most and least, and how far they’ve gone to make sure their accounts are secure. 

Some of the more interesting insights included:

Have you been hacked? Close to one-third (32%) of the respondents admitted that they have had their data hacked on a social media site. Who’s the biggest culprit? Facebook, which has been hacked or had its users' data exploited more times than it probably wishes to count.

Have you deleted a social media account because of social media concerns? Here’s where things start to get a bit unnerving. Almost half (48%) of the people surveyed say they’ve deleted a social media account due to privacy concerns.

“With such high rates of deletion for privacy concerns, it is clear that customer privacy and online safety should be a top priority for social media companies who make more money from high numbers of active users,” the researchers said. “For many individuals, the question of whether companies will actually work to improve privacy is very important.”

Do you trust social media? When asked whether they trust social media, it was an even 50/50 split. Half of the respondents said they trust social media (50.3%), while the other half (49.7%) said they don’t. 

Which platforms do you trust the most? The survey takers asked respondents to plot out how much trust they put in social media platforms on a scale of 1-10. While many may not think of YouTube as a standard social media platform, it topped the list with a rating of 6.1. That was followed by Twitter with a score of 5.7. TikTok -- which has been hit by hackers and lawmakers alike -- earned the lowest average trust rating of only 4.3. 

What are you doing to protect yourself on social media? The two most common approaches (59%) that respondents use to stay safe are only connecting with people they know and manually reviewing social media platforms’ privacy settings. Where most social media users leave themselves vulnerable is staying logged into an account after they’ve used it (65%) and not employing unique passwords for social media accounts (55%).

There seems to be no end in sight when it comes to identity theft. The Identity Theft Resource Center (ITRC), a nonprofit organization established to support victims of identity crime, has just released its U.S. data breach findings for the first half of 2021. If what the organization found is true, it’s troubling to say the least -- particularly for businesses.

According to the data breach analysis, publicly reported data breaches shot up by 38% in the second quarter of 2021 alone. Fortunately, the number of individuals impacted -- 52.8 million -- dropped by 20% from the first quarter to the second quarter. 

“The lesson here for businesses is that no organization is too small to be attacked – directly or indirectly in a supply chain attack – and cybercriminals are increasingly organized and strategic in who they attack and what information they want to steal,” James E. Lee, COO of the ITRC, told ConsumerAffairs.

If things continue at the same rate for the rest of the year, the increase in data breaches in 2021 will end with a record-setting number of compromises, exceeding the current all-time record of 1,632 set in 2017. However, the silver lining to that cloud is that the number of people impacted by data compromises would be the lowest since 2014.

Businesses need to do more to protect their customers’ data

Most identity theft cases can be chalked up to phishing attacks, ransomware attacks, and supply chain attacks. While those attacks have created problems for businesses and continue to increase, consumers still need to be concerned even if they’re not being directly targeted. 

“The effects of these hacks will trickle down and have far-reaching consequences for individuals; disruption when it comes to accessing services, a potential increase in the cost of goods as companies increase prices to foot ransom bills, and the likelihood that customer data will be exploited,” Madeleine Hodson, Chief Editor of PrivacySharks, told ConsumerAffairs.

James E. Lee, Chief Operating Officer of the ITRC, agreed with Hodson, saying that businesses need to step up for the sake of their customers’ security. 

“While we are happy that the number of individuals impacted is down, the risk of an identity crime still exists and has real consequences. Businesses need to take actions to make sure they are not collecting too much information since cybercriminals cannot take what organizations do not have,” he told ConsumerAffairs. 

“There is nothing a consumer can do to prevent a data breach, that’s why good cyber-hygiene practices like multifactor authentication and strong, unique passphrases are essential.” 

A group of hackers with ties to the Russian government breached the computer systems of the Republican National Committee (RNC) last week, Bloomberg reported. The hackers are allegedly affiliated with the group Cozy Bear and carried out an attack on Synnex, a company that provides IT services for the RNC.

"Over the weekend, we were informed that Synnex, a third party provider, had been breached. We immediately blocked all access from Synnex accounts to our cloud environment,” RNC chief of staff Richard Walters said in a statement. "Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed.”

Synnex put out a statement of its own on July 6 saying that it is “aware of a few instances where outside actors have attempted to gain access, through Synnex, to customer applications within the Microsoft cloud environment.” The company also said it’s continuing to review the attack in collaboration with Microsoft and a security firm. 

Cyberattack efforts ‘almost certainly’ ongoing

This isn’t the first time that members of Cozy Bear have been accused of working with Russian foreign intelligence to target U.S. government organizations. In 2016, the hacker group was accused of breaching the Democratic National Committee. It has also been accused of carrying out a cyberattack against SolarWinds -- a breach that affected nine government agencies. 

The latest breach comes on the heels of a series of ransomware attacks in the U.S. In the last year, Colonial Pipeline, insurance provider CNA, and IT software provider Kaseya have been targeted by these attacks. 

In a report published Thursday, intelligence agencies from the U.S. and U.K. said Russian military hackers have attempted to access the computer networks of "hundreds of government and private sector targets worldwide" between mid-2019 and early 2021. The agencies warned that those "efforts are almost certainly still ongoing."

Microsoft has issued a security patch for the so-called PrintNightmare flaw, which affects the Print Spooler feature that runs by default on Windows. 

The tech giant confirmed the vulnerability last week after security researchers at Sangfor accidentally sent out the proof-of-concept (PoC) exploit code. In doing so, the researchers effectively enabled bad actors to engage in remote execution code attacks to gain system-level privileges. 

Microsoft has now issued out-of-band security updates to fix the flaw, which has been given the number CVE-2021-34527 and been deemed “critical” in nature.

The company is issuing updates for Windows 10, Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, and Windows RT. In yet another indication that Microsoft sees the flaw as a major problem, a patch is also being issued for Windows 7 -- an operating system that Microsoft stopped supporting last year.

“We recommend that you install these updates immediately,” says Microsoft. “The security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as ‘PrintNightmare’, documented in CVE-2021-34527.”

Security updates for Windows Server 2012, Windows Server 2016, and Windows 10 Version 1607 “will be released soon,” Microsoft said. 

While many consumers were celebrating the Fourth of July, a ring of international hackers were celebrating for an entirely different reason. Over the holiday weekend, the cybercrooks locked up more than a million individual computer devices and were demanding $70 million in bitcoin as a ransom.

The hackers have been identified as REvil, the Russian group known for hacking meat supplier JBS earlier this year. This time around, REvil compromised Kaseya Limited, a U.S. software company that develops IT management software. 

The hack affected many of Kaseya’s customers, including the Swedish grocery store chain Coop. It forced the company to close more than half of its 800 stores and rendered the retailer’s cash registers and self-service checkouts inoperable.

Hackers upping their game

Cybersecurity analysts worry that REvil has pushed the limits of hacking further than experts are equipped to handle. Some of Kaseya's customers are firms that oversee internet services for other companies, so REvil was able to snowball the number of victims rapidly. 

While many hack attacks try to tie up a single, standalone company, REvil was able to isolate each computer in Kaseya’s list of customers and ransom it separately. Reports say that REvil’s initial ransom request was for $45,000 to unlock each individual device.

On its face, Kaseya’s situation sounds dire. However, the company said things aren’t as bad as they seem.

“While impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure,” said Fred Voccola, the company’s CEO. “Many of Kaseya’s customers are managed service providers, using Kaseya’s technology to manage IT infrastructure for local and small businesses with less than 30 employees, such as dentists’ offices, small accounting offices and local restaurants.”

Added up, Voccola said only 800 to 1,500 of Kaseya’s customers were compromised by the hack out of an estimated 800,000 to 1,000,000 local and small businesses it manages. Nonetheless, Voccola said his company’s global teams were working around the clock to get our customers back up and running. 

“We understand that every second they are shut down, it impacts their livelihood, which is why we’re working feverishly to get this resolved,” he said.

President Biden offers “full resources” to hacked victims

Shortly after REvil’s attack was set in motion, the U.S. government stepped in to help. Over the weekend, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) worked with Kaseya to offer some assistance to the victims of the hack. 

President Biden said he was offering the “full resources'' that he has at his disposal to assist in the response. As part of the effort, FBI and CISA officials created a detection tool for small businesses that uses Kaseya’s platform to analyze their computer systems and determine whether any indicators of a hack are present.

Remember that LinkedIn breach that put 700 million user records at risk? That number has now risen to a billion records that include the personal information of LinkedIn users.

The hacker, whoever they are, is having quite a field day. They have just updated their personal data trove with email addresses and passwords on top of other scraped personal information from LinkedIn users.

In reporting the new finding, PrivacySharks said it reached out to LinkedIn for verification. The firm received this official statement from Leonna Spilman, a corporate communications manager at LinkedIn:

“While we’re still investigating this issue, our initial analysis indicates that the dataset includes information scraped from LinkedIn as well as information obtained from other sources. This was not a LinkedIn data breach, and our investigation has determined that no private LinkedIn member data was exposed. Scraping data from LinkedIn is a violation of our Terms of Service, and we are constantly working to ensure our members’ privacy is protected.”

A review of what’s been hacked

PrivacySharks said its investigation turned up evidence that the files now contain the following 14 pieces of personal data:

• Names (first and last)

• Email addresses

• Street addresses

• Cities

• States

• Zip Codes

• Phone numbers

• Websites

• LinkedIn profiles

• Company names

• Job titles

• Fax numbers

• Email and password combinations

• LinkedIn connections

Given that the person behind the update is the same one linked to the original breach, most of the data is probably the same as what was exposed previously. 

What should LinkedIn members do?

Putting personal information on a site like LinkedIn was problematic for many users before details of this breach were publicized. One ConsumerAffairs reviewer named Lisa summed up her thoughts quite nicely.

“I personally do not like the idea of posting a resume for everyone to see when there are so many safety issues and Internet hackers out there,” she said.

If all that’s been reported is accurate, then LinkedIn users are up against a high wall when it comes to protecting their personal data -- and the platform has to be nervous about the potential fallout.

“From a consumer's point of view, I think the fact that this is the third LinkedIn data leak in a few months will be extremely unsettling for users,” Madeleine Hodson, Chief Editor at PrivacySharks told ConsumerAffairs. “Since passwords have been included in this recent leak (although not yet confirmed to be from LinkedIn accounts) it will cause concern and lead users to question the strength of LinkedIn's security measures.”

Researchers have found that the Peloton Bike+ had a flaw that rendered it vulnerable to being remotely hacked. The product isn’t yet commercially available, but researchers said the flaw would enable hackers to spy on riders -- and even their surroundings -- in public spaces such as a hotel or a gym. 

Software security company McAfee said the flaw in the stationary bike stemmed from the Android attachment that accompanies it. Researchers said attackers could access the bike through the port and install phony versions of popular apps like Netflix and Spotify. The fake apps could then be used to dupe users into entering their personal information. 

"The flaw was that Peloton actually failed to validate that the operating system loaded," said Steve Povolny, head of the threat research team. "And ultimately what that means then is they can install malicious software, they can create Trojan horses and give themselves back doors into the bike, and even access the webcam.

"Not only could you spy on riders but, maybe more importantly, their surroundings, sensitive information," Povolny said.

Peloton reportedly patched the issue on June 4, and researchers said there aren’t currently any indications that the flaw has been exploited. Prior to being fixed, the report said the flaw might have left users vulnerable to being watched.

“An unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched,” the report stated.

Previous dangerous flaw

This isn’t the first time Peloton has confirmed a flaw. Last month, the company recalled all of its Tread+ and Tread treadmills over safety concerns after 70 consumers were injured and a child died after being sucked under the belt. Officials addressed the issue by updating the products’ software to require users to enter a code to restart the belt if it has been left unmoving for up to 45 seconds.

Peloton confirmed that the flaw researchers recently found on the Bike+ was also found on the recalled Peloton Tread. On its security and compliance page, the company warns that “no matter how much effort we put into system security, there can still be vulnerabilities present.”

Volkswagen has revealed that a vendor’s security oversight led to the exposure of data belonging to around 3.3 million customers and prospective buyers. The automaker said information was exposed after a supplier left the data unsecured online. 

In a customer letter, Volkwagen said most of the exposed data included names, addresses, emails, and phone numbers. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages.

Around 90,000 potential loan clients in the U.S. and Canada also had more sensitive data exposed, including driver's license numbers. Volkswagen said date of birth and social security numbers were exposed in a "small" number of cases. 

Data left unsecured for two years

The data exposed was collected between the years 2014-2019 and was left unprotected online between August 2019, and May 2021. The company didn't name the vendor responsible for the data exposure, nor did it say whether it knows if the data has been misused by scammers. Volkswagen said it has informed the appropriate authorities about the situation. 

“We take the safeguarding of your information very seriously,” the company said. “We have informed the appropriate authorities, including law enforcement and regulators. We are working with external cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor.” 

VW said in the letter that it has partnered with IDX to provide customers with free credit protection services, including monitoring, insurance reimbursement, and identity theft recovery services if any issues arise. 

Electronic Arts (EA) -- the game developer responsible for video games like Star Wars Battlefront, The SIMS, Need for Speed, Madden NFL, and Apex Legends -- has been gamed itself. According to Motherboard, EA has become the victim of a cyberattack.

Not only did hackers swipe the source code for FIFA 21 and the Frostbite engine (which is the backbone for EA’s soccer/football series as well as Battlefield), but they are reportedly advertising that the data they stole is for sale on hacking forums. Motherboard reports that the hackers will only consider offers from well-known, marquee hackers.

An EA spokesperson confirmed that while hackers stole “a limited amount of game source code and related tools,” they did not gain access to player data. The company said it is confident that the hack won’t impact other games or its business as a whole. Nonetheless, it’s putting additional security in place. 

Source code is like gold in the video game industry

Luckily for EA, the hack isn’t one of the ugly ransomware kinds that targeted JBS and the Colonial Pipeline. The developer said it’s working with law enforcement to investigate the incident.

When companies like EA lose control over their source code, things can spiral out of control. “Source code is a big deal in programming, so it’s a big deal when companies lose control over it,” remarked The Verge’s Mitchell Clark.

Clark says EA’s not alone. Recently, the gaming industry has seen similar source code thefts for Cyberpunk 2077, The Witcher 3, and Super Mario Kart. Nintendo was also involved in a “gigaleak” that led to the loss of an unreleased Zelda game.

JBS, the world’s largest meat supplier, said Wednesday that it paid $11 million in ransom in response to the cyberattack that recently shut down its North American and Australian operations.

In a statement, the company said the ransom payment was made after most of its plants had come back online. 

"This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, CEO of JBS USA, in a statement. "However, we felt this decision had to be made to prevent any potential risk for our customers."

Earlier this month, the cyberattack forced JBS to shut down some of its computer networks after an organized attack by an unidentified hacker group. The government has since attributed the ransomware attack to REvil, a criminal group believed to be based in Russia or Eastern Europe.

“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities,” the FBI said in a statement. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. A cyberattack on one is an attack on us all.”

No data compromised

In Wednesday’s statement, JBS said no data was leaked as a result of the attack. 

"Preliminary investigation results confirm that no company, customer or employee data was compromised," JBS said.

The JBS cyberattack was the latest in a string of ransomware attacks on operating systems. In May, the operators of the Colonial Pipeline paid roughly $4.4 million to the gain of hackers that broke into its consumer systems. 

“This decision was not made lightly,” but it was one that had to be made, a company spokesman said last month. “Tens of millions of Americans rely on Colonial – hospitals, emergency medical services, law enforcement agencies, fire departments, airports, truck drivers and the traveling public.”

When a hacker group shut down the Colonial Pipeline with a ransomware attack last month, it caused a spike in East Coast gasoline prices and resulted in the company paying a ransom in Bitcoin to regain control of its network.

The U.S. Justice Department now reports that it was able to track down the digital wallet containing 63.7 bitcoins and seize the assets. At the time the ransom was paid, the bitcoins were worth $4.4 million.

Colonial said it paid the ransom because it wasn’t sure about the extent to which its network had been compromised. But at the same time, the company was working closely with the FBI and the Department of Justice’s new digital investigations unit to help track the payment to a Russian hacker group known as Darkside.

“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa Monaco. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises.”

Seizing digital assets

Previously, it was believed that payments made to criminals and scammers using Bitcoin were untraceable and not retrievable -- a major reason that the digital currency is favored by criminal enterprises.

U.S. investigators reviewed the Bitcoin public ledger and were able to track multiple transfers and identify that approximately 63.7 Bitcoins, representing the proceeds of Colonial’s ransom payment, had been transferred to a specific address. 

The FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. Officials said the digital assets it discovered were involved in money laundering and could there be seized under criminal and civil forfeiture statutes. 

The company was a big help

Monaco said the fact that executives at Colonial Pipeline contacted the FBI immediately aided the search for the funds.

“Today’s announcements also demonstrate the value of early notification to law enforcement; we thank Colonial Pipeline for quickly notifying the FBI when they learned that they were targeted by DarkSide,” the attorney general said.

As news of the government’s seizure was announced, the value of Bitcoin plunged 8%. According to CNBC, the move may be related to the discovery that the digital currency may not be as anonymous and untraceable as people thought.

Cyberattacks have recently affected everything from meat producers to gasoline pipelines, and the potential impact of these online attacks is significant. Now, experts from the U.S. Department of Energy’s Pacific Northwest National Laboratory (PNNL) are developing new cybersecurity technology that’s designed to trick hackers and prevent serious cyberattacks. 

Experts designed a new tool called Shadow Figment, which creates a fake online world that mimics the way real online portals would respond to hackers. The system depends on software engineers who work behind the scenes to trick hackers into interacting with imaginary sites so that they can’t harm real targets. This gives time for experts to come in so they can face the threat.

“Our intention is to make interactions seem realistic, so that if someone is interacting with our decoy, we keep them involved, giving our defenders extra time to respond,” said researcher Thomas Edgar. 

Preventing cyberattacks

Electricity grids, pipelines, and water systems are all controlled by intricate online systems. A cyberattack on any one of these systems, which are often controlled by a multitude of devices, could put consumers’ health and safety at serious risk. 

With Shadow Figment, the system creates a distraction for the attacker that will interact much in the same way that the intended system is designed to respond. Using machine learning techniques, the software studies the actual system and then comes up with a harmless replica for hackers on-screen; this deceives criminals into thinking they’ve easily gotten into their desired point of attack. 

The technology is successful because it tricks the hackers into thinking their maneuvers are successful, which keeps them engaged in the “attack” for longer periods of time. The researchers gave the example of tampering with the temperature in a server room that needs to remain cool to function properly; Shadow Figment will indicate that the temperature in the room has gone up, which would prompt the hacker to continue on with their attack. 

The goal is to keep the hackers involved in the fake world so that software engineers can study their behaviors and work to prevent a serious attack. The more time the hacker spends in Shadow Figment, the more time that engineers have to work on the defense. 

“We’re buying time so the defenders can take action to stop bad things from happening,” said Edgar. “Even a few minutes is sometimes all you need to stop an attack. But Shadow Figment needs to be one piece of a broader program of cybersecurity defense. There is no one solution that is a magic bullet.” 

While there is still a patent pending for Shadow Figment, the technology is designed to benefit and protect everyone. 

“The development of Shadow Figment is yet another example of how scientists are focused on protecting the nation’s critical assets and infrastructure,” said researcher Kannan Krishnaswami. “This cybersecurity tool has far-reaching applications in government and private sectors -- from city municipalities, to utilities, to banking institutions, manufacturing, and even health providers.” 

The FBI says it knows who was behind the recent cyberattack that sidelined JBS, the world’s largest meat producer. The agency linked the deed to a notorious Russian ransomware gang and says it is working to stop the cyber bandits from doing any further harm.

“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities,” the agency said in a statement. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. A cyberattack on one is an attack on us all.”

REvil/Sodinokibi sits atop all other ransomware groups, with a 12.5% share of the ransomware market -- and it’s been a busy bunch too. So far this year, it claimed that it stole unencrypted data from electronics company Acer, pilfered information from the celebrity law firm that represents Lady Gaga and Madonna, and made off with plans for upcoming Apple products.

Consumers are safe… for the moment

When a business is hacked, its customer database is usually part of the theft. Take, for example, the attack on Marriott hotels that exposed the personal details of 500 million hotel guests.

While consumers used to be easy targets for ransomware groups, one cybersecurity expert says cybercriminals tend not to go after the general population as much anymore because it’s just not that lucrative to do so.

“Consumers are more trouble than they are worth,” said Dick O'Brien, principal editor at Symantec, who authored a special report on targeted ransomware. "A lot of the consumers these days do not use computers that much, and ransomware is designed to infect Windows computers—they are not in the firing line, as much as enterprise users. Enterprises are—I would not say an easier target, but there are more possibilities for a compromise with them."

Ransomware still impacts consumers

ConsumerAffairs reached out to Purandar Das, co-founder at data security platform Sotero, to find out what trickle-down effect ransomware might have on consumers.

“The recent wave of escalating cyber and ransomware attacks on organizations will and is resulting in significant impact to the consumer. Most of what is being discussed and being written about is the operational impact to the organization. What is less understood and discussed is the impact to consumers and individuals,” Das told ConsumerAffairs.

“Whether it is the Solarwinds attack or the more recent attacks on the energy pipeline and now the meat processing industry, they will and are resulting in significant impact to the consumer.” How? Das says that even in the short term of those cyberattacks, consumers faced gas shortages and price increases. 

“These are indicative of the disruption that these attacks could cause. Also of concern is the possibility of data theft in any or all of these attacks. While it is not clear, at the moment, if any data has been stolen, stolen information would increase the possibility of consumers facing increasing identify related crimes as well as their personal information being held hostage,” he said.

JBS, the world’s largest meat processor, was the target of a cyberattack over the weekend that shut down its North American and Australian operations.

The company said it was forced to shut down some of its computer networks after an organized assault by an unidentified hacker group. Officials say the attack could result in some delays in its transactions with customers.

“The company took immediate action, suspending all affected systems, notifying authorities, and activating the company's global network of IT professionals and third-party experts to resolve the situation,” JBS said in a statement. “The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible.”

The attack is the second on a major industry in less than a month. In May, a Russia-based hacker group shut down the Colonial pipeline carrying gasoline from the Gulf Coast to the Southeast and Mid-Atlantic states, resulting in fuel shortages and higher prices.

The latest attack could affect consumers at the supermarket. Because of JBS’s global scale, industry analysts say a shutdown that extends longer than a week could have an impact on the global supply chain. Plants in Canada and Australia ship meat around the world, Including to U.S. wholesalers.

Previous supply chain issues

The industry has only recently recovered from severe supply chain issues that arose during the coronavirus (COVID-19) pandemic. Outbreaks of the virus forced some U.S. meat processing plants to close temporarily. There was also a shortage of truck drivers to deliver the products to stores.

According to Bloomberg, the attack caused plants to cancel two shifts and stop processing operations at one of its Canadian plants. The report cites a union statement that operations have been affected at some U.S. facilities.

Two weeks ago, Microsoft issued a warning that cyber attacks were increasing and were becoming more dangerous. The company said the latest threat is malware that is delivered by email in the form of a PDF attachment.

The Biden administration has announced that it will require the nation’s leading pipeline companies to disclose any significant cyberattacks to the government. 

Companies aren’t currently required to report cyberattacks, meaning experts don’t have a clear picture of how vulnerable the industry is to hackers. Earlier this month, the repercussions of a cyberattack on a pipeline were on full display after the Colonial Pipeline was hit by one. The incident led to panic and fuel shortages across nearly half of the East Coast. 

Alejandros N. Mayorkas, the secretary of homeland security, said Thursday morning that the Colonial Pipeline case showed “that the cybersecurity of pipeline systems is critical to our homeland security.” 

"Ransomware, which is primarily criminal and profit-driven, can rise to the level of posing a national security risk and disrupt national critical functions," he said. 

New security directive

In addition to requiring major pipeline companies to report cyberattacks, the Biden administration’s new directive calls for the creation of 24-hour emergency centers focused on heading off these threats if they do occur. 

A cybersecurity coordinator will be designated to coordinate with both the Transportation Security Administration (TSA) -- which was tasked with controlling pipeline security post-September 11, 2001 -- and the Cybersecurity and Infrastructure Security Agency (CISA) in the event of a cyber attack. The New York Times noted that it’s unclear “what that employee would be empowered to do other than raise an alarm.” 

The order also requires pipeline companies to “identify any gaps and related remediation measures to address cyber-related risks” and report them to the TSA and CISA within the next 30 days. 

Homeland Security officials added that they will “continue to work closely with our private-sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Microsoft is alerting users about a huge malware campaign that can steal data and stage fake ransomware attacks.

The malware tries to lure recipients into opening what appear to be PDF attachments in email blasts. But when victims click on those attachments, they wind up downloading a malware variant called StrRAT.

Microsoft’s Security Intelligence Team tweeted that StrRAT’s job is to confuse a computer’s operating system and gain access to browser passwords, log keystrokes, and run remote commands. 

Running remote commands can be quite the plaything for a hacker. It allows them to run willy-nilly through a user’s computer, harvesting sensitive information that can range from email credentials to data stored in internet browsers.

The attack sequence to watch out for

In following the malware’s trails, Threatpost was able to determine what the malware’s attack sequence is. It plays out like this:

To start, attackers have been known to use compromised email accounts to send several different emails. To date, the messages disguise the sender as someone who is a supplier or has something to do with the payment of goods or services. Some of the messages use the subject line “Outgoing Payments.” Others refer to specific payments supposedly made by the “Accounts Payable Department.” Still others say “your payment has been released as per attached payment advice” and asks the recipient to verify adjustments made in the attached PDF.

That PDF -- if clicked -- is where the trouble starts. The malware is downloaded to the user’s computer and the hackers are off to the races gathering all the data they can mine. While extortion is not the primary idea behind the attack, reports are circulating that the hackers may also try to make a quick buck off users by disguising their attack as a form of ransomware.

Guarding against the attack

Microsoft says its Microsoft 365 Defender delivers “coordinated defense against this threat” and can protect users against malicious emails after they’re detected.

The company’s Security Intelligence Team has also published what it knows on GitHub so others who deal with computer security can identify indicators of malicious behaviors related to StrRAT before they do any damage.

Microsoft has announced that it will officially end support for its Internet Explorer browser next June. The company is encouraging users to switch to its newer browser, Microsoft Edge. 

In a blog post on Wednesday, Microsoft highlighted the myriad benefits of transitioning to Microsoft Edge. Those benefits include enhanced security, speed, and compatibility with a greater range of websites. 

"The future of Internet Explorer on Windows 10 is in Microsoft Edge," the company said. "Not only is Microsoft Edge a faster, more secure and more modern browsing experience than Internet Explorer, but it is also able to address a key concern: compatibility for older, legacy websites and applications."

The tech giant noted that Microsoft Edge has Internet Explorer mode (“IE mode”) built in, so users will still be able to access Explorer-based websites and apps from the newer browser. That said, Microsoft said it’s officially pulling the browser out of service next summer. 

“With Microsoft Edge capable of assuming this responsibility and more, the Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022, for certain versions of Windows 10,” the company wrote. 

Upgrading is easy

Microsoft has been moving closer to making this announcement for some time. Last year, Microsoft said its Microsoft 365 apps suite would no longer support Internet Explorer 11 as of August 17, 2021. The company touted the various benefits of switching to Edge and said users would “get the most out of Microsoft 365” by switching to its newer browser. 

The company said it’s committed to helping make the transition to Edge “as smooth as possible.” In its Wednesday blog post, Microsoft said users will find that it’s easy to move all of their passwords and data over to the new browser.  

“We’ve also aimed to make the upgrade to Microsoft Edge simple. Once you’ve opted in to moving to Microsoft Edge, it’s easy to bring over your passwords, favorites and other browsing data from Internet Explorer in a few clicks,” the company said. “And if you run into a site that needs Internet Explorer to open, Microsoft Edge has Internet Explorer mode built-in so you can still access it.”

Researchers from cybersecurity security firm Check Point Research have found that a number of Android apps had “misconfigurations” on cloud services, leaving user data belonging to more than 100 million users vulnerable to a variety of attacks. 

In a report published Thursday, Check Point said it recently discovered that the developers behind nearly two dozen mobile apps didn’t configure their real-time database properly. 

“Real-time database allows application developers to store data on the cloud, making sure it is synched in real-time to every connected client,” Check Point explained. 

In the last few months, the team said many application developers have “put their data and users’ data at risk” by failing to ensure that authentication mechanisms were in place.

“By not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed,” the team wrote. “In some cases, this type of misuse only affects the users, however, the developers were also left vulnerable. The misconfiguration put users’ personal data and developer’s internal resources, such as access to update mechanisms and storage at risk.” 

23 apps examined

The researchers said the 23 Android apps they examined -- which included a taxi app with over 50,000 installs, a logo maker, a screen recorder with over 10 million downloads, a fax service, and astrology software, among others -- contained a variety of security shortcomings. 

Check Point said the apps were leaking data that included email records, chat messages, location information, user IDs, passwords, and images. Thirteen of the apps left sensitive data publicly available in unsecured cloud setups. 

In the case of the Angolan taxi app “T’Leva,” the researchers found that they were able to obtain user data, including messages exchanged with drivers, riders’ full names, phone numbers, and destination and pickup locations.  

‘Disturbing reality’

Aviran Hazum, Check Point's manager of mobile research, said the study "sheds light on a disturbing reality where application developers place not only their data, but their private users' data at risk."

When app developers fail to follow the “best practices” when configuring and integrating third party cloud services, the researchers said it could potentially leave users vulnerable to several types of cybersecurity threats. 

"This misconfiguration of real-time databases is not new, but [..] the scope of the issue is still far too broad and affects millions of users," the researchers said. "If a malicious actor gains access to this data it could potentially result in service-swipe (trying to use the same username-password combination on other services), fraud, and identity theft."

The firm said it informed the app developers of the vulnerabilities, and a few have since changed their configuration.

DarkSide, the hacker group behind the temporary shutdown of the Colonial Pipeline, received just over $90 million in bitcoin ransom payments from victims, according to new research. 

Earlier this month, the Colonial Pipeline -- a 5,500-mile pipeline that supplies fuel to the East Coast of the U.S. -- was hit by a cyberattack, causing a system outage. The attack led to a shortage in fuel supplies, which led to crowds at gas stations and higher gas prices.

In a blog post, London-based blockchain analytics firm Elliptic said it identified the Bitcoin wallet used by the cybercriminals to collect ransom payments from victims. 

“In total, just over $90 million in Bitcoin ransom payments were made to DarkSide, originating from 47 distinct wallets,” Elliptic said. “According to DarkTracer, 99 organisations have been infected with the DarkSide malware - suggesting that approximately 47% of victims paid a ransom, and that the average payment was $1.9 million.” 

Colonial reportedly paid the Eastern European criminal gang $5 million. 

‘Ransomware as a service’ business model

Last Monday, DarkSide issued a statement saying it didn’t intend to cause a disruption in the movement of fuel supplies. It operates a “ransomware as a service” business, meaning it developed the software used by the criminals that carried out the attack.

“We are apolitical, we do not participate in geopolitics,” the group said in the statement.

Nonetheless, security researchers said DarkSide and its affiliates netted at least $90 million in bitcoin ransom payments over the past nine months. The funds were extracted from 47 victims. 

Elliptic said the average payment from organizations was around $1.9 million. Of the $90 million total figure, $15.5 million went to DarkSide’s developer and $74.7 million went to its affiliates. A majority of the funds are being sent to crypto exchanges where they can be swapped for other cryptocurrency assets or fiat money. 

“To our knowledge, this analysis includes all payments made to DarkSide, however further transactions may yet be uncovered, and the figures here should be considered a lower bound,” said Tom Robinson Elliptic’s co-founder and chief scientist.

President Biden has signed a new executive order that he hopes will improve cybersecurity for Americans and protect federal government networks from attacks like the recent Colonial Pipeline incident. 

Biden said malicious cyber activities -- like network hacks, phishing, and data thefts -- have gone too far and that the U.S. cyber defense systems are insufficient, making both the public and private sectors more vulnerable to incidents. 

“These incidents share a few things in common. First, a laissez-faire attitude towards cybersecurity,” commented a senior White House official in announcing the order. “For too long, we failed to take the necessary steps to modernize our cybersecurity defenses because doing so takes time, effort, and money. And instead, we’ve accepted that we’ll move from one incident response to the next. And we simply cannot let ‘waiting for the next incident to happen’ to be the status quo under which we operate.”

Starting at the top 

The Colonial Pipeline incident wasn’t pegged as the breaking point that created the new order. It -- along with the SolarWinds and Microsoft Exchange incidents -- proved that U.S. cybersecurity was in a world of hurt. To prevent skirmishes like that in the future, the White House’s goals will start at the top of the digital food chain with the intent of creating a “zero-trust environment.” 

Internet service providers, network security systems, and other top-level segments are being asked to deploy measures like multi-factor authentication, encryption, endpoint detection response, and logging to keep bad actors at bay. They’re also being asked to share their attacks with their peers so an all-for-one, one-for-all community can be nurtured. The second layer of the Biden administration’s plan deals with improving the security of commercial software by establishing baseline security requirements based on industry best practices. 

“We wouldn’t build a building in an earthquake-prone zone without building standards,” the White House official said. “And we need standards for how we build software securely.”

Tighter controls on software development

To that end, the U.S. is kickstarting a pilot program to create an “energy star” type of label so the government – and the public at large – can quickly determine whether software was developed securely. 

“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road,” the White House said in a statement.

However, the official warned that this move alone isn’t the answer. “This will be the first of many ambitious steps the public and private sector must and will take together to safeguard our economy, security, and the services on which the American way of life relies,” they said.

Gas prices could move higher, at least temporarily, after a major pipeline supplying fuel to the East Coast of the U.S. was closed over the weekend due to a cyberattack.

The Colonial Pipeline, which stretches from the Gulf Coast to New Jersey and moves millions of gallons of fuel, had to be shut down when hackers launched a ransomware attack against the company that operates it. 

The company said it has not yet been able to uncover any evidence that the attackers were able to penetrate the pipeline’s vital systems. The company shut down the pipeline out of an abundance of caution.

“In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations and affected some of our IT systems,” Colonial said in a statement. 

FBI investigating

The company said it acted immediately to engage a cybersecurity firm to investigate. At the same time, it notified the FBI. A spokesman for the agency told the Wall Street Journal that the agency is working closely with Colonial to make sure its systems remain secure from attack.

“Colonial Pipeline is taking steps to understand and resolve this issue,” the company said. “At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation. This process is already underway, and we are working diligently to address this matter and to minimize disruption to our customers and those who rely on Colonial Pipeline.”

But closing the 5,500 mile-long pipeline has cut off a major artery of fuel across the Southeast and up the Atlantic Coast. Depending on how long the shutdown continues, fuel supplies could begin running low and prices could begin to rise. 

Advice for consumers

Patrick DeHaan, head of petroleum analysis at GasBuddy, advised motorists served by the pipeline on Sunday not to panic.

“Rushing out and filling your tank will make the problem much much more acute and likely double or triple the length of any supply event if it comes to that,” he tweeted.

The Colonial Pipeline moves 100 million gallons of gasoline, diesel fuel, and other products each day, so a lengthy shutdown would be noticeable at the gas pump in a highly populated area of the country. The company noted that it moves nearly half the region’s fuel on a daily basis.

In 2017, Hurricane Harvey forced a shutdown of the Colonial Pipeline, resulting in a temporary price surge at the gas pump. Months earlier, Colonial suffered a break in its Line 1 in Georgia, interrupting fuel supplies to the East Coast. It resulted not only in rising prices but caused lines at gas stations in Tennessee when some stations' tanks ran dry. It took several weeks for prices to return to normal.

Security researchers have discovered that Dell has been pushing a firmware update for the last 12 years that contains “five high severity flaws.” Experts at SentinelLABS say those flaws impact hundreds of millions of Dell desktops, laptops, notebooks, and tablets.

Although the vulnerabilities could allow hackers to exploit Dell computers and do further damage, SentinelLABS says it has not discovered evidence of any “in-the-wild abuse.” 

As for owners of non-Dell computers, there’s good news: this specific vulnerability affects only Dell-specific systems.

Dell steps up to fix the issue

Even though SentinelLABS hasn’t uncovered any widespread abuse, Dell isn’t taking any chances. Just to make sure nothing goes wrong, the company has sent a security update to its customers to address the exposure. It recommends that every Dell computer owner apply the patch as soon as possible.

Dell warns owners that a hacker could use phishing techniques to gain access to their computer if it is left unpatched. “To help protect yourself from malicious actors, never agree to give remote control to your computer to any unsolicited contact (such as from an email or phone call) to fix an issue,” the company advises.

SentinelLabs also says customers should not waste time installing the patch. “It is inevitable that attackers will seek out those that do not take the appropriate action. Our reason for publishing this research is to not only help our customers but also the community to understand the risk and to take action,” said SentinelLABS’ Kasif Dekel.

Verizon is bidding farewell to its media group, home to digital brands AOL and Yahoo. The company is selling the unit to a private equity firm.

In a $5 billion deal, Apollo Global Management will be the new parent company of Verizon Media -- a deal that comes preloaded with 900 million monthly active users worldwide. Among the more well-known consumer-side companies Apollo has an investment in are the home security service ADT, movie rental company Redbox, photo service company Shutterfly, and online education provider University of Phoenix.

Verizon Media has been a heavy burden for the company, taking four years for it to show year-over-year growth since the wireless titan acquired Yahoo for $4.48 billion. The company is not getting out of the digital media business altogether, rather just shifting gears with an emphasis on its internet-provider businesses. As part of the deal, Verizon is holding on to a 10% ownership stake just in case there’s a seismic shift back to digital media down the line.

Value in Yahoo’s name

Yahoo -- the once golden child of internet search -- has been left to pick up breadcrumbs left by Google for the last decade. However, out of the three major search engines -- Google, Bing, and Yahoo -- only Google and Yahoo were turning a profit as of mid-2020. 

Apollo was happy to take Yahoo off Verizon’s hands, especially for the advertising revenue it brings. When the COVID-19 forced people indoors and online, Yahoo experienced quite a leap in shopping and services. Yahoo Mail-based commerce grew seven times what it was in 2019 and the company’s overall revenue jumped 187%, led by triple digit spurts by Yahoo Finance Premium and Extra Crunch Premium, its weekly event series connecting company founders with tech leaders. 

The Yahoo News niche is also of particular value to Apollo as it continues to evolve -- especially with Generation Z. Recently, it claimed the slot of the fastest growing news organization on TikTok. 

“We are big believers in the growth prospects of Yahoo and the macro tailwinds driving growth in digital media, advertising technology and consumer internet platforms,” said David Sambur, Senior Partner and Co-Head of Private Equity at Apollo. “Apollo has a long track record of investing in technology and media companies and we look forward to drawing on that experience to help Yahoo continue to thrive.” 

A new strain of password-stealing Android malware is infecting consumers’ devices around the world. Mobile network operators and security researchers worldwide have sent up a flare about a text message scam infecting users with Flubot, a malicious piece of spyware. 

Flubot is able to spy on consumers and access contact details once it infiltrates a user’s phone system. It can even go on a text message spree that will send out more malicious messages to further spread the spyware.

How Flubot works

The way Flubot appears on a user’s phone is pretty innocuous -- a text message simply pops up claiming to be from a delivery company. Within that message, users are prompted to click on a link to track their supposed package. However, once that link is clicked, Flubot takes over and installs more phishing malware on the device.

Britain’s National Security Cyber Centre reports that the malicious messages have claimed to be from DHL so far, but researchers warn that other delivery companies can easily be cited for the purposes of the scheme. The organization also reports that Apple device users are not currently at risk, but it’s possible the scam text messages might still redirect them to a website that may steal their personal information.

Protecting yourself against Flubot

Dealing with malware is a hassle that nobody wants, so it’s important that everyone is aware of what to look out for when it comes to these scams. If you receive a text message from a company that you don’t normally do business with or someone you don’t frequently get text messages from, that should immediately raise red flags.  

If you receive one of these suspicious messages, this is what you should do:

1. Do not click the link in the message, and do not install any apps if prompted.

2. Forward the message to 7726 (SPAM), a free spam reporting service endorsed by the Federal Trade Commission (FTC) and offered by telephone companies.

3. Delete the message.

4. In situations in which you were actually expecting a DHL delivery, it’s recommended that you visit the official DHL website to track your delivery. Make sure that you do not use the link in the scam text message.

All is not lost if you have already clicked the link to download the application, but you are going to have to do a system reset and wipe your device clean. One important thing: Do not enter your phone’s password or log into any accounts until you have done all the steps.

1. Perform a factory reset. The process for a reset on an Apple device is here; for Android devices, follow the steps posted here. Sadly, you will lose the data on your phone if you don’t have a backup installed for your device.

2. Once you set up the device after the reset, you might be asked if you want to restore it from a backup. Make sure that you are not restoring to a version of your phone that came after you downloaded the malicious app because that backup will also be infected.

Two final suggestions: take preventive measures if you haven’t been hit by Flubot. Back up your device and only install apps from your device’s “official” app store like Apple’s App Store and Google’s Play Store. An additional suggestion for Android users is to make sure Google’s Play Protect is enabled on your device. Every additional layer of protection is worth the effort when fighting against malware and spyware.

You should also investigate steps the FTC suggests as possible ways to protect your phone from malware and spyware. Those suggestions are available here.

Geico suffered a data breach earlier this year that led to customers’ driver’s license numbers being exposed for more than a month. 

In a data breach notice, the motor vehicle insurer said it fixed the security issue immediately after becoming aware of it. However, there’s still some risk that fraudsters could apply for unemployment benefits using the stolen data.

“We recently determined that between January 21, 2021 and March 1, 2021, fraudsters used information about you – which they acquired elsewhere – to obtain unauthorized access to your driver’s license number through the online sales system on our website,” the company wrote in the breach notice. “We have reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Security enhancements 

Geico said the hackers behind the breach used personal information about Geico customers that they pilfered from other places in order to gain access to Geico’s sales system and steal the driver’s license numbers. 

“As soon as GEICO became aware of the issue, we secured the affected website and worked to identify the root cause of the incident. While we regularly maintain high security and privacy standards, we have also implemented—and continue to implement—additional security enhancements to help prevent future fraud and illegal activities on our website,” the notice said.

The company said it isn’t sure how many customers were affected by the breach or if the scope of the incident extends beyond California. Customers with security concerns can get a one-year subscription to IdentityForce -- an identity-theft protection service. The insurance company is also encouraging its customers to vigilantly look at account statements and credit reports to ensure that there is no unauthorized activity. 

“If you receive any mailings from your state’s unemployment agency/department, please review them carefully and contact that agency/department if there is any chance fraud is being committed,” Sheila King, a manager for data privacy at Geico, wrote in the breach notice. 

In an effort to mitigate the threat of the Hafnium hack, the FBI has been cleared to use the hackers’ own tools to remotely delete infections on people’s computers. 

Last month, security researchers began sounding the alarm about a hack being carried out by a Chinese espionage group known as “Hafnium.” The hack involved the exploitation of multiple zero-day vulnerabilities, and it affected tens of thousands of Microsoft Exchange Servers around the world. 

While Microsoft did eventually address the issue in the form of detection tools and patches, the threat of the hack has lingered. Now, the Justice Department has disclosed that a Texas court granted the FBI approval to utilize a number of remaining backdoors to remotely delete Hafnium infections. 

“Today’s court-authorized removal of the malicious web shells demonstrates the Department’s commitment to disrupt hacking activity using all of our legal tools, not just prosecutions,” reads a statement from Assistant Attorney General John C. Demers, with the Justice Department’s National Security Division.

Operation successful

The Department said the operation was successful, but further action will be required to fully patch the vulnerabilities. 

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),” the U.S. Justice Department stated. 

Under the operation, experts “did not patch any Microsoft Exchange Server zero-day vulnerabilities or search for or remove any additional malware or hacking tools that hacking groups may have placed on victim networks by exploiting the web shells.” 

The Justice Department said it “strongly encourages network defenders to review Microsoft’s remediation guidance and the March 10 Joint Advisory for further guidance on detection and patching.” 

It seems like only yesterday that 533 million Facebook accounts were compromised by malicious actors. But the hacking world never sleeps, and personal information from hundreds of millions of LinkedIn accounts is now reportedly being offered on an online forum.

Cyber News reports that an archive of 500 million LinkedIn profiles was posted to a hacking forum, with the cyber thieves disclosing details of 2 million accounts to prove they have the goods. The leaked details were supposedly scraped from the site and include users’ full names, email addresses, phone numbers, workplace information, and other data.

For its part, LinkedIn says this incident was not technically a “LinkedIn data breach” because the information was “actually an aggregation of data from a number of websites and companies.” This likely means that the data collected by the hacker was information that was already viewable on the site. LinkedIn says it believes no private member account information was included.

How does this affect consumers?

There are a few different ways the information in this breach could be used for nefarious purposes. First, and perhaps most directly, any entity that buys the data from the hacking source could send spam messages to the email addresses and spam calls to phone numbers. 

While this might be annoying enough on its own, the collected data could also be used for phishing attacks. These scam attempts would be especially dangerous because consumers’ personal information could be used to make them more believable. Cyber News notes that hackers could also combine the information they collected from this leak with information from other data breaches to compromise accounts. 

Consumers should consider implementing several standard cybersecurity practices to protect themselves and their online accounts. This includes resetting email and account passwords, reviewing what information they’re making available on social media and other websites, and enabling two-factor authentication on all online accounts. 

You can learn more about how to protect your online information by reading ConsumerAffairs’ guide on how to prevent identity theft.

A hack of 533,000,000 global Facebook users that went up for sale on messaging app Telegram in January has now spiraled out of control. 

Over the weekend, security researcher Alon Gal tweeted out that every single one of those half-billion Facebook records were just leaked for free. “This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” Gal wrote.

Telephone numbers were just the top layer of what was stolen. Gal detailed that a person’s Facebook ID, full name, location, past location, birthdate, email address, account creation date, relationship status, and bio were also possibly purloined. Users from 106 countries are affected, including 32 million people in the U.S.

“Bad actors will certainly use the information for social engineering, scamming, hacking and marketing,” Gal said.

As of mid-morning on Monday, neither Facebook CEO Mark Zuckerberg, Facebook Security, or Facebook’s Privacy blog had acknowledged the issue. 

Brace yourself for more

When ConsumerAffairs reached out for comment from Daniel Markuson, a digital privacy expert at NordVPN, he said that people should buckle up for a large wave of personalized phishing or social engineering attacks. In a hacker’s way of thinking, why not? There’s no monetary risk since the personal data was free. “It means that anyone with shady intentions was able to get their hands on it,” Markuson said.

“This leak raises huge concerns, especially now. Cybercriminals exploit fears or feed on the need for urgency. We have already seen a surge in pandemic-related cybercrimes, and this trend continues. Now, as countries all over the world are starting to roll out vaccination programs, there is another opportunity for cybercriminals.”

Markuson said that vaccine-related searches in the U.S. have grown by 1,900 percent since January. This shows that Americans are becoming increasingly anxious to get their COVID-19 vaccine and might be an easy target for hackers. 

Protecting yourself

Protecting yourself against a phishing email or malicious message isn’t complicated, but it does take some vigilance. When ConsumerAffairs asked Markuson what advice he would give to unsuspecting people, he gave us six things to watch out for.

• Check the sender’s email address or telephone number. Don’t just trust the display name – pay attention to the email address, telephone number, and other sender credentials,” he said.

• Look for spelling mistakes, grammar mistakes, and design issues. Serious companies and institutions don’t usually send out emails with bad grammar; email design is usually lean and precise.

• Don’t click on links or download attachments. If that’s an email - hover your mouse over the link to see the destination link. Check if it looks legitimate and, especially, if it contains the “https” part to indicate a secure connection. For other types of messages, it’s generally safer to search for the website yourself.

• Consider context. Were you expecting such an email or message? If not, it is probably suspicious, especially if the offer seems too good to be true.  

• Contact the company yourself. When in doubt, contact the company or institution over the phone or by using an alternative email address to confirm if the email is legitimate.

• Report the incident to the authorities. If you notice something unusual, raising the alarm can help not only you, but others affected by the leak as well.

“Everyone can become a victim of phishing scams,” Markuson said. “Although some of them are pretty obvious, others can be challenging to spot. As a prevention measure, use cyber security software such as VPNs, antiviruses, spam filters, and firewalls.”

ConsumerAffairs has a guide on data protection. It covers rates, reviews, and other information about companies that offer data protection services. It’s available here.

It should be noted that Facebook Security extended support for mobile security keys for Facebook iOS/ Android users on March 18. The team suggested that users employ security keys to help ensure that passwords aren’t the last line of defense between an attacker and a user’s account.

On Thursday, Stanford University announced that it’s looking into the alleged theft of personal data from those in the School of Medicine community. 

Hackers reportedly gained access to information in a 20-year-old file transfer system used by the school. The cybercriminals stole data including Social Security numbers, addresses, emails, family members and financial information. 

“Stanford University School of Medicine has learned that cybercriminals have claimed they have stolen some School of Medicine data,” the university said. “We are investigating this incident and we have reported the incident to law enforcement.” 

At this time, school officials aren’t sure how many people were affected by the breach. The incident has been reported to law enforcement.

“We are working to determine whether individuals’ personal data has been affected, and we will notify any affected individual,” the university said. “We take data protection very seriously, and as a best practice, we recommend that all individuals remain vigilant and promptly report any suspicious activity or suspected identity theft to the Stanford School of Medicine.”

Part of a larger attack

Stanford said the hack was part of a larger national cyberattack on universities and organizations that use a widely used file transfer service called Accellion. 

Other victims of the attack include the University of Colorado, Washington State’s auditor, Australia’s financial regulator, the Reserve Bank of New Zealand and U.S. law firm Jones Day. Some institutions received ransom demands from the hackers. The bad actors threatened to leak more information unless they received money. 

“This is a 20 year old legacy system. And these are notoriously insecure,” said Jack Cable of the Stanford Daily. “This is something that’s endemic across probably all universities and large companies, in that they’re dependent on software that is really old and is likely pretty vulnerable. That’s why we’re seeing so many breaches.”

Users of Apple iOS devices welcomed the week with a security threat. Now, Android users are being warned of malware posing as a security update that can allow hackers to take complete control of devices. 

The sophisticated new malicious app disguises itself as a System Update application, according to mobile security company Zimperium (zLabs). Once it takes control of an Android device, it’s able to steal data, images, and messages. Once they infiltrate a device, hackers can also record audio and phone calls, take photos, monitor GPS locations, steal phone contacts, take instant messenger database files, review browser history, access WhatsApp messages, and more. 

Worse yet, it can do its damage undetected by hiding the icon from the device’s drawer/menu.

Stay away from third-party software sites

zLabs confirmed with Google that the app is not -- and has never been -- on Google Play. However, users who download system software from unsecured, third-party platforms can be targeted and become victims if they’re not careful.

Before clicking on “accept” for any app update or before installing a new app on your Android device, users should ask themselves where exactly that software is coming from. You’re probably safe if it’s from the Google Play store, but stay away from installing any software that was sent via text message unless it is from a trusted source you know and have installed software from before. 

One telltale sign of this scheme is any Android update that is offered in the form of a new, self-contained app. Android updates do not come packaged like that. 

Apple users who have been on pins and needles about a critical security breach can rest easy. On Friday, the company released a new update for its iOS software system that fixed the issue.

Specifically, the new update impacts Webkit, a browser engine developed by Apple and used primarily in its Safari web browser on various Apple devices. The original problem reported to Apple suggested that Webkit contained a vulnerability that would allow “maliciously crafted web content” to create “universal cross site scripting.” The company said it was aware that the threat may have been actively exploited.

Apple has its peer Google to thank for finding the threat. The issue was first detailed by members of Google’s Threat Analysis Group.

Who should be concerned and what should be done

Apple reaffirmed the importance of iOS users updating their software, saying the update “provides important security updates and is recommended for all users.”

Consumers who own at least one of the following Apple products should update their system software as soon as possible:

• iPhone: iPhone 6s and later

• iPad: iPad Pro (all models); iPad Air 2 and later; iPad 5th generation and later; iPad mini 4 and later

• iPod Touch (7th generation)

The iOS and iPadOS 14.4.2 updates are free and can be downloaded on all of the aforementioned devices via the Settings app. To access the software update, go to Settings > General > Software Update.

Microsoft has released a “one-click” tool that enables smaller companies to patch the critical “Hafnium” vulnerability disclosed by the company earlier this month. 

Security researchers warned last week that four bugs in the Microsoft Exchange email and calendar servers were at risk of being used in attacks by the Chinese espionage group Hafnium. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said it was "aware of widespread domestic and international exploitation" of the bugs. 

Microsoft recently released a patch for the flaw (CEV-2021-26855), but it was primarily designed for large organizations with dedicated IT or security teams capable of executing the complex fix. Now, the tech giant has released an easier-to-install tool for smaller firms without such teams. 

“....we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server,” Microsoft said. 

Mitigating the flaw

The tech giant said the tool will guard against attacks that have been seen so far, but it won’t prevent future attacks and isn’t a replacement for the other Exchange patches. However, the company said it is “the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange servers prior to patching.” 

“This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update,” Microsoft said in a blog post. “By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed.”

The company’s “one-click” mitigation tool can be accessed here. 

Security researchers are warning that four zero-day vulnerabilities in Microsoft Exchange are now being used in attacks against thousands of organizations. 

Microsoft said Exchange customers should apply the emergency patches that it recently released as soon as possible because "nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems."

Over the weekend, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) said it was "aware of widespread domestic and international exploitation" of the vulnerabilities. 

Easy to exploit bugs 

The bugs -- which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 -- are being used in attacks by a Chinese espionage group known as “Hafnium,” researchers said. The group was found to have deployed “web shells” on compromised Microsoft Exchange Servers with the aim of stealing data and installing malware. 

“Hafnium primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said. “HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.”

Chris Krebs, the former director of CISA, believes state and local government agencies and small businesses will be more widely affected by the attacks than large enterprises. 

"Incident response teams are BURNED OUT & this is at a really bad time," Krebs wrote. 

Around 30,000 organizations in the U.S. have been affected by the attacks, according to Brian Krebs of KrebsOnSecurity.com. 

"The intruders have left behind a ‘web shell,’ an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers," Krebs said. 

Sens. Amy Klobuchar (D-MN) and Lisa Murkowski (R-AK) are calling on the Federal Trade Commission (FTC) to combat stalkers’ exploitation of people search websites. 

In a letter to the agency, the senators said there’s a clear need for action to protect people who have been, or may become, victims of abuse and stalking as a direct result of information gleaned through people search sites. 

“We write to express serious concerns about recent reports that data brokers are publicizing the location and contact information of victims of domestic violence, sexual violence, and stalking,” the senators wrote. “We have serious concerns that third-party data brokers play a role in revealing [a] protected address and providing access to personal information that can lead to continued abuse.”

The senators suggested the possibility of introducing measures to help people remove their addresses from data brokers like WhitePages and Spokeo, which market themselves as tools akin to digital phone books. The sites offer phone numbers, email addresses, physical addresses, and more. 

Easily accessible information

Getting information taken down from sites like these (of which there are dozens) can be time consuming and often require the submission of personal data via physical letters or even faxes. The fact that people search sites automatically scrape personal data complicates matters further. 

"One in four women and one in nine men experience intimate partner violence," the senators wrote in the letter, adding that victims “often are forced to relocate to a relative’s house to find safety.” 

“The availability of this data makes it difficult or impossible for victims to safely relocate with relatives,” they added. 

Klobuchar and Murkowski want the FTC to come up with a plan to work with other agencies to keep violent abuse perpetrators from accessing personal information. They also want to help educate victims about data broker services and offer resources on what to do if their information falls into the wrong hands. 

The senators also asked if the FTC has plans to prevent brokers from “collecting, buying, or selling lists of vulnerable populations.”

If you feel like internet ads follow you everywhere you go, there may be some good news on the horizon. In a monumental shift, Google is giving tracking technologies the boot, announcing that it plans to stop selling ads based on individuals’ browsing across multiple websites.

It’s undetermined exactly how much cutting that slice out of Google’s ad business will set the company back, but it could be plenty. According to Statista, Google's total ad revenue in 2020 amounted to $146.92 billion spread across its extensive ad network. Nonetheless, the important pro-consumer point here is that Google seems to be more concerned with what it calls an “erosion of trust” from people who venture out online. 

“As our industry has strived to deliver relevant ads to consumers across the web, it has created a proliferation of individual user data across thousands of companies, typically gathered through third-party cookies,” explained David Temkin, Google’s Director of Product Management, Ads Privacy and Trust.

”This has led to an erosion of trust: In fact, 72 percent of people feel that almost all of what they do online is being tracked by advertisers, technology firms or other companies, and 81 percent say that the potential risks they face because of data collection outweigh the benefits, according to a study by Pew Research Center. If digital advertising doesn't evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.”

What changes to expect

This change won’t happen overnight, but there is already forward progress. As a precursor to this move, the company announced in late January that it was going to phase out third-party tracking cookies in its Chrome browser. Once third-party cookies are completely phased out, Temkin vowed that Google will not build alternate identifiers to track individuals as they browse across the web, nor will the company use them in its products.

In its cookieless future, Google wants everything relating to advertising -- targeting, measurement, and fraud prevention -- to be in line with the standards set by its own Privacy Sandbox. If all goes according to plan, cookies will be replaced by application programming interfaces (API) that advertisers will use to gather five unique pieces of data, including how well an ad performed and what platform actually leveraged a purchase out of an ad on its site(s). 

“The most significant item in the Privacy Sandbox is Google’s proposal to move all user data into the browser where it will be stored and processed,” Amit Kotecha, marketing director at data management platform provider Permutive, told Digiday. “This means that data stays on the user’s device and is privacy compliant. This is now table stakes and the gold standard for privacy.”

Google seems to be one of the few companies going in on this new privacy venture; there’s still dozens of digital ad networks that are mum on the subject -- at least for now.

“We realize this means other providers may offer a level of user identity for ad tracking across the web that we will not — like [personally identifiable information] based on people’s email addresses,” Temkin said. 

“We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”

Europe’s leading consumer advocacy group -- the Bureau Européen des Unions de Consommateurshas (BEUC) -- has filed a complaint against TikTok over claims that the Chinese-owned app violated the bloc’s data privacy laws. 

The BEUC has accused TikTok of violating General Data Protection Regulation (GDPR) through its alleged “unclear” terms of service and by "failing to protect children and teenagers from hidden advertising and inappropriate content."

The complaint was filed in the wake of several reports that analyzed the video-sharing app’s approach to consumer protection through its data protection practices and privacy procedures. 

Hidden advertising

In a press release, the BEUC accused TikTok of allowing companies to peddle their products in a way that young users might not see as advertising. 

“Users are for instance triggered to participate in branded hashtag challenges where they are encouraged to create content of specific products,” the BEUC wrote. “As popular influencers are often the starting point of such challenges the commercial intent is usually masked for users. TikTok is also potentially failing to conduct due diligence when it comes to protecting children from inappropriate content such as videos showing suggestive content which are just a few scrolls away.” 

The group also argues that the app isn’t doing enough to prevent underage users from registering for an account. 

“In practice, it is very easy for underage users to register on the platform as the age verification process is very loose and only self-declaratory,” the BEUC said, citing a number of studies that have suggested that children make up “a very big part” of the app’s user base. 

Data collection concerns

With regard to data collection, the BEUC accused the Chinese-owned app of repeatedly changing its data and protection practices in Europe without publicly disclosing that it had done so. The group claims TikTok has an “ambiguous” privacy policy that doesn’t give users a clear picture of the ways in which it collects and uses personal information. 

The BEUC noted that TikTok’s terms and conditions grant it an “irrevocable right to use, distribute and reproduce the videos published by users, without remuneration.” Also problematic to the group is the app’s lack of an opt-out feature that users can select if they would prefer not to have their personal data collected for advertising. 

Consumer organizations in 15 countries are now pushing for authorities to investigate TikTok.

TikTok said in a statement to Reuters that it's "always open to hearing how we can improve” and that it has contacted BEUC about potentially scheduling a meeting “to listen to their concerns.” The company also said it provides an in-app summary of its privacy that it claims was crafted to be easy for teens to understand.

Slack developers have sent emails to some Android users saying they erroneously logged the passwords of Android users in plain text for a period of time. Emails have been sent to affected users containing a link to perform a password reset. Android Police noted that the email might look like a phishing attempt to some people, but it’s legitimate. 

“It's safe to click, or you can navigate to Slack's site directly yourself, sign in there, and reset your password manually,” the site reported. 

Slack said the logging “bug” took effect on December 21, 2020, but it apparently wasn’t caught and fixed until January 21, 2021. Over the course of those 31 days, Slack for Android may have logged users’ passwords in an unencrypted format.

Slack said the issue only impacted a small subset of Android users. However, anyone who uses Slack for Android on a regular basis may want to change their password even if they didn’t receive an email saying they should do so. 

Wiping logs

In addition to choosing a new “complex and unique password,” affected users are also advised to clear the storage of Slack for Android so that any potentially password-containing logs are wiped from the device. 

Slack assured users that it has rolled out “a fixed version” of the Android app. Additionally, it has “blocked usage of the impacted version(s).” 

“We very much regret any inconvenience we have caused,” Slack said in the email. 

TikTok’s forced sale to Oracle and Walmart has been put on hold “indefinitely” now that the Biden administration has taken the reins, according to The Wall Street Journal. 

Last year, Trump ordered the sale of TikTok to a majority U.S.-ownership group over concerns about data security, as well as the potential for the video sharing app’s algorithm to be used to advance Chinese political goals. 

After being pushed back several times, the deadline for the sale was ultimately moved to December 4. That date came and went with no response from the outgoing administration. Now, Biden administration officials say the deal is on hold while the new president reviews past efforts to mitigate security risks from Chinese technology firms. 

“We plan to develop a comprehensive approach to securing U.S. data that addresses the full range of threats we face,” National Security Council spokeswoman Emily Horne told the Journal. “This includes the risk posed by Chinese apps and other software that operate in the U.S. In the coming months, we expect to review specific cases in light of a comprehensive understanding of the risks we face.”

TikTok may use a third party for data

TikTok is reportedly still talking to the Committee on Foreign Investment in the U.S. (CFIUS) about resolving security concerns. However, sources familiar with the matter told the Journal that any deal reached “would likely be different from the one discussed last September.” 

Instead of a sale, a source said that one resolution might involve sending TikTok data to a “trusted third party” to prevent the Chinese government from having access to Americans’ info. The newly installed administration has until February 18 to offer a formal response to TikTok’s legal situation. 

Chinese telecommunications manufacturer Huawei has asked a court to overturn the Federal Communications Commission’s (FCC) late 2020 classification of it as a national security threat.

Huawei has a tainted reputation on Capitol Hill, starting when it came under scrutiny for allegedly implanting malicious hardware or software into its components and systems. The company maintains that the FCC overstepped the boundaries of its authority in issuing the new designation. 

“The order on review potentially impacts the financial interests of the telecommunications industry as a whole,” Huawei’s request said. By “whole,” the company is referring to network operators the FCC locked out of buying Huawei-made parts. 

The latest skirmish is not Huawei’s first with the FCC. In 2019, the agency voted to cut off any federal funds used to buy Huawei products. That move grew into a bill that officially prevented U.S. companies from rolling out wireless networks with Huawei’s equipment -- or that of its Chinese peer, ZTE. Huawei also tried to reverse that decision but came up empty. 

The FCC added even more misery for the telecom maker in December 2020 by voting to make companies replace existing Huawei equipment.

Biden’s FCC backs up Trump’s FCC

The Trump administration was not exactly Chinese commerce’s best friend. From attempts to ban popular China-based phone apps like TikTok and WeChat to a slugfest over trade issues, Trump took it to China with both fists. 

If China was hoping for a respite from the Biden administration, the FCC’s move is the first to dash those hopes. To date, President Biden has not made a move to keep the war on TikTok alive, but his administration is supporting what the Trump administration’s FCC did in its Huawei decree. 

“Last year the FCC issued a final designation identifying Huawei as a national security threat based on a substantial body of evidence developed by the FCC and numerous U.S. national security agencies. We will continue to defend that decision,” a spokesperson told The Verge.

Google has blocked a popular Chrome extension called “The Great Suspender” because it was found to contain malware. 

On Thursday, Chrome users with the extension installed started seeing a message that read: “[The Great Suspender] has been disabled because it contains malware.” Google has also pulled the extension from its Chrome Web Store. 

The Great Suspender was previously a helpful tool that would automatically force any tabs that users hadn’t looked at in a while to go to “sleep,” which helped conserve memory and keep the browser moving quickly. 

Now that the extension is gone, Reddit users have found a way to get tabs back, however the process is somewhat tedious. There are also a few extensions that work similarly to The Great Suspender, including Session Buddy and OneTab. Users can also keep their browser running quickly by simply limiting the number of tabs that are open.

By hook or crook, foreign actors continue to try to worm their way into U.S. companies and internet platforms. 

On Tuesday, CNBC reported that Google has uncovered a new twist in the cyber spy game, courtesy of North Korean state hackers who are trying yet another hacking angle. This time, it appears they’re targeting security researchers directly on social media.

Google’s Threat Analysis Group (TAG) uncovered a campaign in which bad actors worked a confidence ploy to create credibility with security researchers by building out a research blog. The fraudsters also created multiple Twitter profiles and personas on LinkedIn, Telegram, Discord, Keybase, and via email so they could interact with potential targets. A brassy bunch, the actors even used their new Twitter profiles for posting links to their blog and posting videos of their claimed exploits.

Anyone concerned should pay attention to the details

To date, Google’s threat analysts say they’ve only seen these actors targeting Windows systems as a part of this campaign and that even computers running "fully patched and up-to-date Windows 10 and Chrome browser versions" still got infected.

Nonetheless, a red flag has been raised, and Google recommends that potential targets compartmentalize their research activities by “using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”

To help identify the sites, blogs, and accounts to stay away from, TAG has published a full list of actor controlled sites and accounts. It’s available here.

Google remains vigilant about security issues. To help circle the wagons against digital insurrections, the company offers rewards of up to $150,000 for anyone who can lead them to Chrome-related vulnerabilities like the ones leveraged in this situation.

Cybersecurity firm Malwarebytes has disclosed that it was targeted by the same group of hackers behind the breach of IT software company SolarWinds. 

The firm said it doesn’t use SolarWinds’ IT software, through which hackers were able to break into the systems of companies including FireEye, Microsoft, and CrowdStrike. Instead, Malwarebytes said it was infiltrated using another intrusion vector. 

The bad actors were able to breach the firm’s internal systems by exploiting a dormant email protection product within its Office 365 tenant, the company said. 

“We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments,” wrote Marcin Kleczynski, Malwarebytes co-founder and current CEO. 

Malwarebytes products ‘remain safe to use’

Malwarebytes said it found out about the intrusion on December 15, after the Microsoft Security Response center detected suspicious activity in the dormant Office 365 app. The activity was “consistent with the tactics, techniques and procedures” deployed by the hackers who carried out the SolarWinds attacks.

After learning of the breach, the company said it quickly launched an internal investigation to determine what hackers were able to gain access to. Malwarebytes said its anti-malware users can be assured that its software remains safe to use since it doesn’t use Microsoft’s Azure cloud services.

“After an extensive investigation, we determined the attacker only gained access to a limited subset of internal company emails,”  Kleczynski said. “We found no evidence of unauthorized access or compromise in any of our internal on-premises and production environments.” 

Malwarebytes’ announcement that it was targeted by the SolarWinds attackers brings the total number of affected security vendors to four. The group of threat actors previously targeted FireEye, Microsoft, and CrowdStrike in what is believed to have been an attempt to gather intelligence. 

Officials from the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) recently put out a joint statement naming the Russian government as the most likely culprit behind the cyber-espionage attacks. 

Investigators said Monday that the hackers behind the global SolarWinds incident used computer code with links to known Russian spying tools, Reuters reports. 

It recently came to light that cyber criminals hacked SolarWinds to gain access to at least 18,000 government and private networks. It is believed that the cyberattackers’ goal was to collect intelligence. 

Now, researchers at Moscow-based cybersecurity company Kaspersky said the attackers deployed code that closely resembled malware associated with a Russian hacking group known as “Turla.” 

The way in which the SolarWinds hack was carried out had three notable similarities to a hacking tool called “Kazuar,” which is used by Turla, according to Costin Raiu, head of global research and analysis at Kaspersky.

Similarities were noted in how the hackers identified their victims and how they avoided being detected through the use of a specific formula to calculate periods with the viruses lying dormant. Additionally, both pieces of malware attempted to obscure their functions from security analysts.  

“One such finding could be dismissed,” Raiu said. “Two things definitely make me raise an eyebrow. Three is more than a coincidence.”

Connection likely

Raiu said the similarities point to the likelihood of a link between the two hacking tools, but they don’t necessarily imply that Turla played a role in the SolarWinds hack. He said there’s a possibility that the hackers behind the SolarWinds hack were merely inspired by Kazuar, or that they deliberately planted “false flags” in order to throw off investigators. 

Although Moscow has denied involvement in the hack, U.S. intelligence agencies have said that the hackers were “likely Russian in origin.” Security firms in the U.S. and other countries are continuing to investigate the incident in order to determine its full scope, and the Department of Justice has vowed to take serious action. 

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said last week. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

After sitting on the news for almost two weeks, the U.S. Department of Justice (DOJ) has confirmed that its email systems fell prey to the same band of cyberattackers linked to the global SolarWinds incident that has affected government and private sector businesses.

"On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment,” DOJ spokesman Marc Raimondi said in a statement.

Raimondi went on to say that the number of affected email boxes was limited to around 3 percent and that the agency has no indication that any of its classified systems were impacted.

“A major incident”

According to a joint statement issued by the recently organized Cyber Unified Coordination Group -- which includes the FBI, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence, and the National Security Agency -- the hackers are “likely Russian in origin” and “responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”

The group’s investigation is ongoing, and it’s possible they could turn up additional government victims. In the group’s estimation, the hackers’ goal appeared to be collecting intelligence, rather than anything destructive.

Nonetheless, the attack on the DOJ was serious enough that it’s vowing to take serious action.

“As part of the ongoing technical analysis, the Department has determined that the activity constitutes a major incident under the Federal Information Security Modernization Act, and is taking the steps consistent with that determination,” the agency said. “The Department will continue to notify the appropriate federal agencies, Congress, and the public as warranted."

President Trump has signed an executive order banning several Chinese payment apps, including Alipay and WeChat Pay. 

A senior administration official said the order, which was signed late in the day on Tuesday, aims to keep American user data from being shared with the Chinese government. The Trump administration cited the possibility that the apps mentioned in the order could be used as a “mass tool for global oppression.”

"The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security," the order said.

In total, eight Chinese apps are banned under the order: Tencent QQ, CamScanner, SHAREit, VMate, WPS Office, QQ Wallet, Alipay, and WeChat Pay. 

National security concerns

The U.S. government has concluded that the apps named in the order automatically capture “sensitive personally identifiable... and private information” from millions of users in the United States.” President Trump is concerned that the apps could be used to track and build dossiers of personal information on federal employees.

“At this time, action must be taken to address the threat posed by these Chinese connected software applications,” Trump wrote. 

The order will take effect after 45 days, which leaves open the possibility that President-elect Joe Biden will revoke it. The incoming presidential administration has yet to say how it plans to handle the order. 

The Trump administration has previously attempted to ban Chinese-based apps like TikTok and WeChat over national security concerns. Both attempts were unsuccessful. 

In 2019, the administration launched a trade war against Beijing and blacklisted Huawei Technologies, ZTE, and Chinese firms over national security concerns. The Federal Communications Commission (FCC) has designated Huawei and ZTE as national security threats, but both companies have denied that they share data with the Chinese government.

T-Mobile’s cybersecurity team is once again being put to the test. On Monday, the phone carrier announced that it experienced its fourth data breach in three years. 

The company did not say what portion of its nearly 100 million user accounts were at risk, but it did confirm that the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs.

“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” said Matt Staneff, the Chief Marketing Officer of T-Mobile USA.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

What happened?

In a letter to customers, Staneff said T-Mobile’s cybersecurity team detected -- then shut down -- “malicious, unauthorized access” to “some” information related to T-Mobile accounts. Staneff qualified “some” as customer proprietary network information (CPNI). Collecting CPNI data is a permission given to phone companies by the Federal Communications Commission (FCC) and typically includes call information like the date, duration of the call, the phone number called, and the type of network a consumer subscribes to -- in short, the type of information that appears on a customer's phone bill.

“We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers,” Staneff said.

T-Mobile users weren’t so lucky in March 2020 when a data breach allowed hackers to gain access to T-Mobile employee email accounts. That, in turn, opened up access to customers’ names, addresses, Social Security numbers, financial account information, phone numbers, billing and account information, and rate plans. 

T-Mobile offers to answer any questions

Staneff said the company is ready to answer additional questions if a customer wants further details. Customers can either contact the company online, ask questions at one of the company’s stores, or go through the customer service team at 1-800-937-8997. 

“We are sorry for any inconvenience this may cause you. We take the security of customer information seriously and, while we have a number of safeguards in place to protect customer information from unauthorized access, we will continue to work to further enhance security so we can mitigate this type of activity,” Staneff promised.

Facebook has announced that it will be giving more people access to its security monitoring platform, Facebook Protect, in 2021. 

The program was offered to political officials during the 2020 U.S. elections. Now, Axios reports that Facebook will be offering the tool to other types of users whose accounts are at a greater risk of being compromised, such as journalists, human rights advocates, and activists.

Facebook’s head of security policy, Nate Gleicher, told Axios that Protect comes with real-time monitoring of potential hacking attempts and other security features, such as hardware keys to enable two-factor authentication. 

Gleicher said more than 70 percent of people involved with the 2020 election had two-factor authentication turned on and that Facebook is bolstering its account protection features in the coming year since compromised accounts can be used for malicious purposes. 

“We know that certain people such as candidates, elected officials or staff can be targeted by bad actors on social media platforms, including Facebook and Instagram,” Facebook writes on page discussing the platform. “By enrolling, we’ll help these accounts (1) adopt stronger account security protections, like two-factor authentication, and (2) monitor for potential hacking threats.” 

In a blog post on Thursday, Microsoft said it identified more than 40 organizations that were targeted by attackers using “sophisticated measures.”

Most victims of the attack (80 percent) were located in the U.S. The other targeted groups were spread across seven other countries: Canada, Mexico, Belgium, Spain, the U.K., Israel, and the United Arab Emirates. Microsoft said it has started working with the groups identified as victims. 

Those affected were running problematic versions of a third-party software platform called SolarWinds Orion. Hackers were able to escalate intrusions with additional, second-stage payloads. Microsoft said it discovered the intrusions using data from its Microsoft Defender antivirus product, which is built into all Windows installations.

"It's a certainty that the number and location of victims will keep growing," said Microsoft President Brad Smith. 

Microsoft targeted

Microsoft itself was among those targeted by hackers, but the company denied claims that its production systems were compromised or that the attack affected its business customers and end-users. 

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed," the statement said.

Microsoft said the attack “represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” 

The company said the attack is being “actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft." Smith said it’s become clear that stronger international rules are needed to help prevent future attacks of this magnitude. 

“The defense of democracy requires that governments and technology companies work together in new and important ways – to share information, strengthen defenses and respond to attacks,” he wrote. “As we put 2020 behind us, the new year provides a new opportunity to move forward on all these fronts.” 

More than three million Google Chrome and Microsoft Edge users are believed to have installed extensions that contain malicious code, according to security firm Avast. 

Avast researchers said users who installed one of 28 third-party extensions containing hidden malicious JavaScript could be at risk of data theft and phishing attacks. 

The extensions in question are primarily designed to help users download multimedia content from social networks including Facebook, Instagram, Vimeo, or Spotify. But Avast said users could end up being redirected to a site where the attacker gets paid for user visits. In other cases, users could end up on phishing sites. 

“Anytime a user clicks on a link, the extensions send information about the click to the attacker’s control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit,” the security firm explained.

Names of extensions

Avast said it found evidence that some of the malicious extensions had been active since at least December 2018. The researchers discovered the code hidden in the apps last month and reported their findings to Google and Microsoft. 

Both companies have said they are investigating the extensions. In the meantime, Avast has recommended that users disable or uninstall the extensions. 

Here is the list of Chrome extensions that contain malicious code, according to Avast: 

• Direct Message for Instagram

• DM for Instagram

• Invisible mode for Instagram Direct Message

• Downloader for Instagram

• App Phone for Instagram

• Stories for Instagram

• Universal Video Downloader

• Video Downloader for FaceBook™

• Vimeo™ Video Downloader

• Zoomer for Instagram and FaceBook

• VK UnBlock. Works fast.

• Odnoklassniki UnBlock. Works quickly.

• Upload photo to Instagram™

• Spotify Music Downloader

• The New York Times News

Avast said the following Edge extensions contain malicious code: 

• Direct Message for Instagram™

• Instagram Download Video & Image

• App Phone for Instagram

• Universal Video Downloader

• Video Downloader for FaceBook™

• Vimeo™ Video Downloader

• Volume Controller

• Stories for Instagram

• Upload photo to Instagram™

• Pretty Kitty, The Cat Pet

• Video Downloader for YouTube

• SoundCloud Music Downloader

• Instagram App with Direct Message DM

It looks like Facebook has unfriended Apple. On Wednesday, the social media platform took out full-page ads in the New York Times, Washington Post, and Wall Street Journal to denounce Apple’s upcoming iOS privacy changes. Facebook claims that it’s “standing up to Apple for small businesses everywhere.”

The barrel of ink Facebook is throwing Apple’s way is supposedly related to Apple’s iOS 14 privacy changes, which will require app developers like Facebook to “provide information about some of your app’s data collection practices on your product page.” The change will also require Facebook to “ask users for their permission to track them across apps and websites owned by other companies.”

Facebook comes out swinging

Facebook didn’t come right out and say it, but Apple’s disclosure shift will impact Facebook’s ad business, especially its ad network for developers and businesses if end users opt out of being tracked.

In the ad, Facebook maintains that Apple’s changes will be “devastating to small businesses” that rely on its ad network to leverage clicks and sales. The newspaper ads that Facebook took out ask small businesses to check out the platform’s “speak up for small business” site that features a series of business owners speaking out on Apple’s changes. Some of those comments are pretty shaming -- things like “This is going to affect me and my family,” and “We could lose our business.”

While Apple has yet to publicly respond to Facebook’s ads, the company did respond to similar Facebook claims in November, accusing Facebook of a “disregard for user privacy.” Apple is steadfast in its position that the upcoming privacy policies will be enforced when they go into effect in early 2021. The company said it is “committed to ensuring users can choose whether or not they allow an app to track them.”

Facebook’s call for support

Facebook said it hopes the Direct Marketing Association (DMA) will also set boundaries for Apple. 

“Apple controls an entire ecosystem from device to app store and apps, and uses this power to harm developers and consumers, as well as large platforms like Facebook,” a Facebook spokesperson said in a statement to CNBC. “

If Facebook’s game is to play two ends against the middle, maybe it should have first asked the DMA if it had its back. “We respect your privacy – and so do our members,” is the organization’s promise to consumers.” (Our Association of National Advertisers) ensures that consumers have choices about unwanted marketing offers. Our members honor consumers who don’t want to be contacted. You have choices about the type of marketing you receive.”

The Federal Trade Commission (FTC) turned up the heat on the social media big wigs on Monday. In a new mandate, the Commission will now require nine tech firms to disclose exactly how they collect and use data from their users.

Called on the carpet are the usual suspects -- Amazon, Facebook, and Twitter -- along with Google’s YouTube, TikTok’s owner ByteDance, Discord, Facebook’s WhatsApp, Reddit, and Snap. The companies have until January 28, 2021 to respond.

What is the FTC looking for?

Specifically, the FTC is leveraging Section 6(b) of the FTC Act, which gives it the authority to ask about how the companies “compile data concerning the privacy policies, procedures, and practices of [such] providers, including the method and manner in which they collect, use, store, and disclose information about users and their devices.”

Moving past the legalese, the FTC said that what it’s trying to ascertain is really more consumer-oriented. The questions it wants answered are:

• “How social media and video streaming services collect, use, track, estimate, or derive personal and demographic information;

• How they determine which ads and other content are shown to consumers;

• Whether they apply algorithms or data analytics to personal information;

• How they measure, promote, and research user engagement; and

• How their practices affect children and teens.”

The commissioners weigh in

After making their demands, the FTC commissioners said that the agency is seeking more information in the best interest of consumers.

“Never before has there been an industry capable of surveilling and monetizing so much of our personal lives. Social media and video streaming companies now follow users everywhere through apps on their always-present mobile devices,” Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Christine S. Wilson said in a statement. 

“This constant access allows these firms to monitor where users go, the people with whom they interact, and what they are doing. But to what end? Is this surveillance used to build psychological profiles of users? Predict their behavior? Manipulate experiences to generate ad sales? Promote content to capture attention or shape discourse? Too much about the industry remains dangerously opaque.”

Commissioner Noah Joshua Phillips was the dissenting vote among the commissioners, saying that the move was an “undisciplined foray into a wide variety of topics.” He called his peers out for omitting other companies engaged in business practices similar to the nine companies named. Phillips asked why Apple, Gab, GroupMe, LinkedIn, Parler, Rumble, Tumblr, and WeChat weren’t also named. He answered his own question rather snarkily. 

“The only plausible benefit to drawing the lines the Commission has is targeting a number of high profile companies and, by limiting the number to nine, avoiding the review process required under the Paperwork Reduction Act...which is not triggered if fewer than ten entities are subject to request.”

Russian hackers, believed to be working on behalf of the Kremlin, were apparently behind an attack into computer systems at the departments of the U.S. Treasury and Commerce that may have gone on for months before being detected. To make matters worse, people familiar with the matter feel that this situation just may be the tip of the iceberg.

According to U.S. officials and a report by National Public Radio (NPR), the Russian hackers broke into the email systems at those two government departments, and it was so consequential that it led to a National Security Council meeting at the White House on Saturday, one of the people familiar with the matter told Reuters.

It may not come to anyone’s surprise that Russia denies any involvement. The Russian foreign ministry took to Facebook to say the allegations were nothing more than another “unfounded attempt” by the American media to blame Russia for cyberattacks directed at U.S. agencies.”

Malicious actors

In the Department of Homeland Security’s response to the “known compromise,” it said that the hack involved SolarWinds Orion network monitoring products being exploited by malicious actors.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners -- in the public and private sectors -- to assess their exposure to this compromise and to secure their networks against any exploitation,” the DHS’ Cybersecurity and Infrastructure Security Agency said in a statement.

The Commerce Department and the National Security Council both confirmed the breach, but the agencies didn’t give any extra information about the extent of the hack or the measures that have been taken to secure the email accounts.

The private sector is also in danger

In addition to the government breaches, the hackers also wormed their way into the computer system bowels of private companies. 

More than 400 of the U.S. Fortune 500 companies use SolarWinds products, according to KrebsOnSecurity. That list includes all branches of the military, as well as all ten of the Top 10 communications companies, all five of the Top 5 accounting firms, and hundreds of colleges.

Security firm FireEye, which also happened to be hit by the hack, said cyber criminals inserted malware into SolarWinds updates that “(went) to significant lengths to observe and blend into normal network activity.” It also concluded that the breach is a “global campaign” and had confirmed intrusions in North America, Europe, Asia, and the Middle East. 

In a blog post late Sunday, Microsoft echoed FireEye’s assessment, saying that it believes the hack represents “nation-state activity at significant scale, aimed at both the government and private sector." The company also had words for its own users.

“We also want to reassure our customers that we have not identified any Microsoft product or cloud service vulnerabilities in these investigations. As part of our ongoing threat research, we monitor for new indicators that could signal attacker activity,” the company said.

FireEye, one of the nation’s leading cybersecurity firms, has shared details of a hack targeting its “Red Team” tools, which it uses to test customers’ security. The firm said there is concern that the hackers could publicly release the tools they accessed or use them to carry out other attacks. 

In a blog post, FireEye CEO Kevin Mandia said the attack was “different from the tens of thousands of incidents we have responded to throughout the years.” 

“The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus,” Mandia wrote. “They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” 

Russia reportedly a suspect

FireEye said it doesn’t currently have evidence that any customer information was taken. 

Although the company didn’t say in its report who it believes is responsible for the attack, the Wall Street Journal reported that state-sponsored Russian hackers are a likely suspect. A source familiar with the matter told the Journal that Russia is currently being viewed by investigators as “the most likely culprit.” 

“Moscow’s foreign-intelligence service, known as the SVR and one of two Russian groups that hacked the Democratic National Committee ahead of the 2016 presidential election, is believed to be responsible, the person said,” according to the Journal. 

FireEye didn’t specify when the hack took place or when it became aware of it. The hack is currently being investigated by FireEye, as well as the FBI and industry partners like Microsoft.

Since becoming aware of the attack, FireEye said it’s developed hundreds of countermeasures that can detect or block the use of any of its stolen tools. The firm said it has integrated the measures into its own security products and shared them with “colleagues in the security community.” 

FireEye said it will “continue to share and refine any additional mitigations for the Red Team tools as they become available.” 

A Trump administration-imposed deadline for the sale of TikTok passed on Friday without a resolution. 

The short-form video app has been facing uncertainty since last year, when national security concerns arose and it was ordered to find a U.S. buyer. The deadline to do so has already been rescheduled several times, and another one isn’t likely to be set now that Friday’s deadline has come and gone.

Shortly after last month’s election, the China-owned platform claimed that the Trump administration had stopped engaging in discussions regarding an agreement. 

“In the nearly two months since the President gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement – but have received no substantive feedback on our extensive data privacy and security framework,” company officials told various media outlets. 

Sources familiar with the matter told Bloomberg that negotiations are likely to continue even now that the December 4 deadline to find a buyer has passed. 

Negotiations on hold

In August, President Donald Trump signed an executive order forcing TikTok -- which is owned by Chinese company ByteDance -- to divest “any tangible or intangible assets or property, wherever located, used to enable or support ByteDance’s operation of the TikTok application in the United States.”

Trump administration officials claim the platform’s owner could share U.S. user data with the Chinese government. TikTok has denied allegations that it poses a national security threat. 

"In this game of high stakes poker it’s very possible that ByteDance looks to delay deal negotiations in hopes that the incoming Biden Administration eliminates this executive order in what would be a seminal shift for the US towards China on technology policy and send an ‘olive branch’ signal to Beijing,” Dan Ives, an analyst on tech sector at Wedbush Securities in New York, told the South China Morning Post. 

"The TikTok situation could potentially be a litmus test for Biden‘s first move towards ending the US China [tech cold war].”

In November, an advisor to President-elect Joe Biden said it’s too early to know what, if any, actions the Biden administration plans to take regarding TikTok.

A Google researcher has demonstrated an Apple security vulnerability that could have allowed hackers to gain full access to a person’s iPhone. A cyberattacker could have exploited the flaw without having the user download malware or click on a suspicious link. To fall victim, a user would have only had to be within Wi-Fi range. 

Ian Beer -- a security researcher with Google’s Project Zero -- explained in a video this week that it was possible for a Raspberry Pi setup with off-the-shelf Wi-Fi adapters to steal photos from an iPhone in a different room in a matter of minutes. The same security vulnerability also allowed Beer to repeatedly reboot 26 iPhones at the same time. 

Apple fixed the vulnerability in May, but Beer said he spent six months looking into the issue.

"Imagine the sense of power an attacker with such a capability must feel," Beer said in a blog post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

Full access to a device

Through his extensive research, Beer found a “wormable radio-proximity exploit” that allowed him to gain “complete control over any iPhone in my vicinity.” He said he was able to view phones, read emails, copy private messages, and monitor everything that happens on a device in real-time. 

“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”

Beer said he hadn’t seen any evidence that the flaw was exploited prior to being fixed, but he said consumers can never be too careful when it comes to the security of their mobile devices. Issues like these are likely to surface again. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

A hacker is reportedly selling access to email accounts belonging to “hundreds” of high level executives across the world. The accounts are going for $100 to $1500 each, depending on the value of each account. The targets include CEOs, vice presidents, and directors. 

The email and password combinations are being sold on a “closed-access underground forum for Russian-speaking hackers named Exploit.in,” according to ZDNet. The seller did not disclose how he obtained the login credentials, but he claimed to have hundreds of additional accounts to sell. 

ZDNet said a cybersecurity source has confirmed the validity of the stolen data. That source has begun the process of notifying all the affected companies. 

Scam potential 

If corporate executive login credentials fall into the wrong hands, both the executives and their workers could be affected. Cybercriminals can use compromised corporate email credentials for a variety of money-making schemes, KELA Product Manager Raveed Laeb explained to ZDNet. 

"Attackers can use them for internal communications as part of a 'CEO scam' - where criminals manipulate employees into wiring them large sums of money; they can be used in order to access sensitive information as part of an extortion scheme,” Laeb said.

Stolen login credentials can also be “exploited in order to gain access to other internal systems that require email-based 2FA, in order to move laterally in the organization and conduct a network intrusion," Laeb added.

To reduce the likelihood of such events unfolding, cybersecurity experts highly recommend using two-step verification or two-factor authentication for online accounts. Attackers won’t be able to do anything with stolen login details in cases where the user has set up 2SV or 2FA. 

Home Depot has cut a deal with 45 states and the District of Columbia and will pay $17.5 million to resolve an investigation of a 2014 data breach, which exposed payment card information of an estimated 40 million Home Depot customers nationwide. 

The data breach took place when hackers found their way into the retailer’s computer network and released malware on its self-checkout point-of-sale system. Once that was done, the hackers went on a five-month spree, obtaining the credit and debit card information of customers who used self-checkout lanes at Home Depot stores throughout the U.S. 

According to ZDNet’s coverage of the incident, online customers were not involved in the hack. 

Home Depot promises better protection

In addition to writing that $17.5 million check, Home Depot has agreed to install and maintain a series of data security practices designed to strengthen its information security program and protect the personal information of customers going forward.

“Businesses that collect or maintain sensitive personal information have an obligation to live up to the trust consumers place in them,” said Attorney General Jennings. “My office will continue to ensure businesses like The Home Depot protect consumers’ information from unlawful use or disclosure.”

Password manager NordPass has released its annual list of the worst passwords, and 2020’s list includes many of the same weak passwords as years prior. 

Consumers are still protecting their data with simple passwords that are infamous for being easy to crack, according to this year’s list. For example, NordPass found that millions of people are still using “password" and “123456” as passwords. The firm said the latter has been breached more than 23 million times. 

Many people may choose variations of the number bar because it’s quick and easy to type, but research has found that these frequently used passwords take less than a second to crack. Combinations of adjacent keys, such as “asdfghjkl” or “qwertyuiop,” have also been found to be highly vulnerable to cracking. 

Worst passwords of 2020

NordPass’s full list contains 200 of the most commonly used passwords, ranked by metrics such as how many times each password has been exposed and how long it would take an unauthorized party to crack it. 

Below are the top 20 worst passwords of the year. 

• 123456

• 123456789

• picture1

• password

• 12345678

• 111111

• 123123

• 12345

• 1234567890

• senha

• 1234567

• qwerty

• abc123

• Million2

• 000000

• 1234

• iloveyou

• aaron431

• password1

• qqww1122

Protecting your data

To keep sensitive data from being exposed, NordPass recommends making sure all passwords are unique and complex. This can be made easier through the use of a password manager or a third-party service like LastPass or Apple’s iCloud Keychain. 

NordPass also suggests enabling two-factor authentication when possible and deleting any old or inactive accounts. 

In all the hoopla regarding new vaccine test success from Moderna and Pfizer, Microsoft has uncovered a series of cyber attacks coming from Russia and North Korea targeted at research companies doing those tests.

In a blog post, Microsoft says the attacks targeted seven major pharmaceutical companies and researchers in Canada, France, India, and South Korea, and the U.S. Microsoft didn’t say which companies were targeted or what type of information may have actually been compromised or stolen, but officials said they had notified the organizations and offered help where the attacks were successful.

“Two global issues will help shape people’s memories of this time in history – COVID-19 and the increased use of the internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt health care organizations fighting the pandemic,” wrote Microsoft’s Tom Burt, Corporate Vice President, Customer Security & Trust.

“We think these attacks are unconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks we’ve seen most recently and are urging governments to act.”

The attacks and the protection

There are actually three key players in the attacks: “Strontium,” an actor originating from Russia, and two actors originating from North Korea that Microsoft has dubbed “Zinc” and “Cerium.”

Strontium uses “password spray” and brute force login attempts to steal personal login credentials. The software it uses conducts millions of rapid attempts to crack a third-party’s personal data. Zinc’s game is to use spear-phishing lures for credential theft by sending messages with fabricated job descriptions pretending to be recruiters. And Cerium? The angle it works is spear-phishing with email lures using COVID-19 themes while masquerading as World Health Organization representatives. 

Luckily, Burt says the “majority” of the attacks have been blocked by security protections built into the company’s products. The company is continuing to make its threat notification service, “AccountGuard,” available for free to health care and human rights organizations working on COVID-19. 

The company says that 195 health care-related groups have enrolled in the service, and it now protects 1.7 million email accounts that those organizations serve.

A Microsoft executive is urging users to move away from phone-based multi-factor authentication (MFA) mechanisms and instead embrace newer security technologies, like app-based authenticators and security keys.

In a blog post, Alex Weinert, Director of Identity Security at Microsoft, said app-based two-factor authentication provides greater security.

Weinert said telephone-based multi-factor authentication (MFA) solutions -- like one-time codes sent via SMS and voice calls -- are “based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” 

“That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages,” he said. “Plan your move to passwordless strong auth now – the authenticator app provides an immediate and evolving option.” 

MFA is ‘essential’

In 2019, Weinert penned a blog post in which he said that internal Microsoft statistics showed that users who enabled MFA blocked around 99.9 percent of automated attacks against their Microsoft accounts. 

In a follow up blog post earlier this week, he stressed that MFA itself is essential -- but the way people use it should change. If users have to choose between multiple MFA mechanisms, he said they should avoid phone-based MFA which can be intercepted by attackers. 

Weinert said a good place to start is by using Microsoft’s Authenticator MFA app. For even greater security, hardware security keys can be used. 

China-owned social media platform TikTok claims that the Trump administration has gone silent over the past few weeks. 

Over the past several months, the two parties have clashed over privacy and national security-related matters. The Trump administration has expressed concern that the app poses a threat to national security, but TikTok has vehemently denied that it’s sharing data with the Chinese government. 

Trump’s committee on foreign investment in the United States (CFIUS) ordered TikTok’s parent company ByteDance to divest “any tangible or intangible assets or property, wherever located, used to enable or support ByteDance’s operation of the TikTok application in the United States” by tomorrow, November 12. 

TikTok has petitioned CFIUS for a review of the situation, partly because the committee didn’t specify what would happen if the company didn’t meet the demands by that deadline. The short-form video app was granted a preliminary injunction last month. 

Facing uncertainty 

TikTok planned to partner with Oracle and Walmart in the U.S. to form a new company called “TikTok Global.” In September, the Trump administration said the president approved the deal “in concept.” Now, TikTok says negotiations seem to have stalled. 

“For a year, TikTok has actively engaged with CFIUS in good faith to address its national security concerns, even as we disagree with its assessment,” TikTok told various media outlets. “In the nearly two months since the President gave his preliminary approval to our proposal to satisfy those concerns, we have offered detailed solutions to finalize that agreement – but have received no substantive feedback on our extensive data privacy and security framework.”

TikTok officials said they currently have “no clarity on whether our proposed solutions would be accepted.” 

“Today, with the November 12 CFIUS deadline imminent and without an extension in hand, we have no choice but to file a petition in court to defend our rights and those of our more than 1,500 employees in the US. We remain committed to working with the Administration — as we have all along — to resolve the issues it has raised, but our legal challenge today is a protection to ensure these discussions can take place,” the company said in a statement. 

An advisor to President-elect Joe Biden said “it’s too early” to know what, if any, actions the Biden administration plans to take regarding TikTok.

The Federal Trade Commission (FTC) announced a settlement with video conferencing platform Zoom on Monday that will require the company to implement a sturdier information security program. The FTC alleged that Zoom engaged in a series of “deceptive and unfair practices” that essentially undermined the security of its users.

The FTC’s complaint dates back to 2016 when the agency alleged that Zoom deceived users by falsely promising that it offered “end-to-end, 256-bit encryption” to secure users’ communications. Regulators said the falsehood created the possibility that other people (including Zoom) could read a user’s content. 

In the FTC’s eyes, Zoom also erroneously told users who wanted to store recorded meetings on the company’s cloud storage that those meetings were encrypted immediately after their meeting ended. Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Enter COVID-19

The matter was complicated further during the COVID-19 pandemic. Zoom’s reach skyrocketed from 10 million in December 2019 to 300 million in April 2020, putting even more users’ privacy at risk. 

Earlier this summer, the company attempted to soften the FTC’s angst by improving its security for all users versus only its paying subscribers, but those actions seemingly weren’t enough to appease regulators.

“During the pandemic, practically everyone—families, schools, social groups, businesses—is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”

What changes Zoom users will see

The FTC’s laundry list of changes that Zoom users are supposed to see thanks to the settlement include:

• The annual assessment and documentation of any potential internal and external security risks and develop ways to safeguard against such risks;

• Implementation of a vulnerability management program; and

• Deployment of safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and taking steps to prevent the use of known compromised user credentials.

The FTC didn’t stop there, though. On top of those three key changes, Zoom agreed to review any software updates for potential security flaws and must ensure that software updates will not hamper third-party security features. The company has also agreed not misrepresent to the public its collection and use of personal information, and it will have an assessment of security program made by an independent third party every other year.

The hotel reservation firm Prestige Software has exposed the data of millions of guests worldwide, Website Planet reports. 

Prestige Software -- a platform that enables hotels to automate their availability on booking websites like Expedia and Booking.com -- reportedly stored files dating as far back as 2013 without any protection in place. 

Exposed information included names, credit card details, ID numbers, and reservation details. In some cases, logs contained personally identifiable information for multiple members included in a single booking.