Tag Archives: hackers

Instagram says hackers swiped contact info for verified users

Instagram just suffered a potentially serious (and this time, very real) data breach. The social photo service is sending out alerts that intruders got access to the phone numbers and email addresses for a number of “high-profile” users by exploiting a bug in Instagram’s programming interface. The attackers didn’t obtain passwords, and Instagram says it has already fixed the bug, but it’s warning all verified users out of an “abundance of caution.”


We’ve asked Instagram for more details and will let you know if it can shed more light on the situation, such as when the breach happened and how many people were targeted. It’s also unclear if this is related to the recent hack that compromised Selena Gomez’s Instagram account.

The breach isn’t as severe as it could have been, but it’s definitely not what Instagram needs in the wake of the Gomez incident. The social network is growing very rapidly, but it might run into trouble if big-name users are hesitant to stick around over security fears. The apparently prompt fix suggests that Instagram is at least on top of these issues when they do come up.



HBO hackers leak Game of Thrones stars’ phone numbers and addresses

A recent security breach at HBO has led to the personal phone numbers and email addresses of some Game of Thrones actors leaking online. Hackers broke into HBO’s systems and reportedly stole 1.5 terabytes of data, including scripts for upcoming Game of Thrones episodes and two unreleased episodes of Ballers and Room 104The Guardianreports that hackers have released 3.4GB of data, and that they’re demanding that HBO pay an undisclosed ransom to prevent further leaks.

Contained within the leaked data are draft scripts from five Game of Thrones episodes, and technical documents detailing HBO’s internal network and administrator passwords. The Verge understands that one document includes a list of personal phone numbers, home addresses, and email addresses for all of the season 7 Game of Thrones actors, including Peter Dinklage, Lena Headey, and Emilia Clarke. A month’s worth of emails from HBO’s vice president for film programming, Leslie Cohen, is also part of the latest leak alongside a large number of confidential documents.

HBO says it is reviewing what data has leaked as part of an ongoing forensic investigation. In a statement to Wired, HBO spokeperson Jeff Cusson says “the review to date has not given us a reason to believe that our email system as a whole has been compromised.” If HBO’s email systems haven’t been fully accessed then it will spare the company an embarrassing repeat of what happened to Sony Pictures. Hackers broke into Sony Pictures back in 2014, and the leaked emails did the most reputational damage to the company.


It seems unlikely that the HBO hackers have obtained copies of actual Game of Thronesepisodes. While there have been threats of more leaks, only scripts for the TV series have surfaced online so far. In a separate incident, a Game of Thrones episode leaked last weekbefore its public TV airing. The leak wasn’t part of the HBO hack, and distribution partner Star India accidentally published it online. Either way, it’s clear HBO’s security nightmare is far from over.



Victims of the global cyberattack have paid $9,000 so far but can’t get their files back

Victims of the ongoing Petya cyberattack have paid £7,064 ($9,000) in Bitcoin to hackers so far to try and get their files back — but they won’t have much luck.

The cyberattack broke out on Tuesday, impacting the Ukrainian government and banks, then spreading to a Russian oil company, advertising firm WPP, and other companies around the world. The attack takes the form of ransomware, malicious software that encrypts a user’s files, then demands a payment in Bitcoin in exchange for decryption.

Victims posted screenshots of messages showing up on their computer screens, instructing them to send $300 worth of Bitcoin to a Bitcoin wallet address. They were also told to send their own Bitcoin wallet ID and “personal installation key”, a unique identifier generated by the ransomware, to a dedicated email address.

According to Blockchain.info, which shows Bitcoin transaction data, there have been 36 payments to that Bitcoin address to date.

But the operator behind that email address, German firm Posteo, swiftly blocked access to that mailbox. The company said on Tuesday that people couldn’t email the address, nor could hackers access it. That means hackers can’t check who has paid them, nor can they release the key needed to decrypt a specific victim’s files.

In short: Anyone who has paid the ransom is out of luck.



Electronic Setups of Driverless Cars Vulnerable to Hackers

Any part of a car that talks to the outside world is a potential opportunity for hackers.

That includes the car’s entertainment and navigation systems, preloaded music and mapping apps, tire-pressure sensors, even older entry points like a CD drive. It also includes technologies that are still in the works, like computer vision systems and technology that will allow vehicles to communicate with one another.

It will be five to 10 years — or even more — before a truly driverless car, without a steering wheel, hits the market. In the meantime, digital automobile security experts will have to solve problems that the cybersecurity industry still has not quite figured out.

“There’s still time for manufacturers to start paying attention, but we need the conversation around security to happen now,” said Marc Rogers, the principal security researcher at the cybersecurity firm CloudFlare.

Their primary challenge will be preventing hackers from getting into the heart of the car’s crucial computing system, called a CAN (or computer area network).

While most automakers now install gateways between a driver’s systems and the car’s CAN network, repeated hacks of Jeeps and Teslas have shown that with enough skill and patience, hackers can bypass those gateways.

And the challenge of securing driverless cars only gets messier as automakers figure out how to design an autonomous car that can safely communicate with other vehicles through so-called V2V, or vehicle-to-vehicle, communication.

The National Highway Traffic Safety Administration has proposed that V2V equipment be installed in all cars in the future. But that channel, and all the equipment involved, open millions more access points for would-be attackers.

It’s not just V2V communications that security experts are concerned about. Some engineers have imagined a future of vehicle-to-infrastructure communications that would allow police officers to automatically enforce safe driving speeds in construction zones, near schools or around accidents.

Given the years long lag time from car design to production, security researchers are also concerned about the shelf life of software deeply embedded in a car, which may no longer be supported, or patched, by the time the car makes it out of the lot.


Google developed a school curriculum to help kids fight trolls and hackers

Google is launching an educational program designed to teach kids about phishing, internet harassment, passwords, and other internet safety issues. Called “Be Internet Awesome,” it includes a classroom curriculum and a video game called Interland. It was developed with help from teachers, YouTube videographers, and internet safety and literacy organizations, and resources are available online for free.


Be Internet Awesome tackles topics that are relevant to all ages, though it’s seemingly aimed at younger children. It includes sections on how to limit sharing personal information with people online, avoid falling for scams or phishing attacks, creating strong passwords, and avoiding negative behavior online. (It includes a “Be Internet Awesome Pledge” that students can sign.) Google says the program is compliant with International Society for Technology in Education standards, awarded to programs that promote a range of tech-savvy skills.

In this case, that happens through a range of quizzes, role-playing activities, and other abstract exercises. For the “Share with Care” module, students look at a made-up social media profile and cross out information that a parent, employer, or future self might look poorly upon. In “Don’t Fall for Fake,” they decide whether a series of webpages and emails look real or fake. And “It’s Cool to be Kind” urges kids to avoid responding or reacting to hurtful messages, as well as block and report bullies.


Interland, the accompanying video game, seems less like a training tool and more like a sweetener that could get students interested in the material. “Mindful Mountain,” for example, turns the process of sharing specific posts with the right people into a spatial puzzle. (It also works as a grim commentary on how opaque social network privacy settings can be, although that’s never mentioned.) Players promote positivity in a platforming game by tossing out friendly emoticons and hitting the “block” button to trap trolls. The password security game is a Temple Run-style endless runner about collecting letters and symbols.


This is only the latest in Google’s string of educational programs, which range from promoting Chromebooks in the classroom to offering virtual reality field trips through Google Cardboard. (Interland also uses a low-poly aesthetic that will be familiar to Daydream VR users.)

As someone who’s not a trained educator, I can’t pass judgment on this curriculum. Everybody could stand to be a little more cautious about phishing, but anti-bullying programs, of which “Cool to be Kind” is a subset, vary in effectiveness. Even if this is effective for teaching students the basic principles of internet use, we don’t know how well it will translate into real-world social media use. But at the very least, it’s a non-alarmist take on internet safety — even if I might rather teach my kid about hacking with the Mr. Robot game.



Amazon’s Third-Party Sellers Get Ripped Off By Hackers

Hackers have zeroed in on the growing number of third-party sellers on Amazon Marketplace, reportedly using stolen logins to swipe thousands of dollars from some merchants.

In recent weeks, hackers have ramped up their attacks by taking over dormant accounts and changing the bank account information. They’ll then post nonexistent merchandise at bargain prices, make the sell and collect the cash, according to a report in the Wall Street Journal.

Buyers can get a refund, but the scam hits sellers hard, since they’re on the hook for reimbursing customers who never received their merchandise.

Margina Dennis, a professional makeup artist working in New York City, told NBC News she still has more than one hundred emails to answer from angry customers who are wondering why they never received a Nintendo Switch hackers posted from her account. That’s in addition to the tens of thousands of dollars in debt she is now contesting after her account was compromised.

“This has been mentally, emotionally, so trying and the level of frustration trying to deal with them,” Dennis said. “Basically their response is, ‘We received a notice and we’ll get back to you when we get back to you. We can’t tell you when or if.'”

The issue came to Dennis’ attention when she said she received hundreds of emails from buyers complaining they never received the Nintendo Switch the ordered from her account.

Amazon sent Dennis a note on March 29th saying she may have been hacked, however she said she had to wait days for her account to be taken down since the hacker changed the password and she was unable to log in.

“I know people who have been dealing with this longer than I have and it is all falling on deaf ears,” Dennis said.

She added, she would never shop or sell on Amazon again, “if it’s the last thing on Earth.”

The company is working to make sure sellers like Dennis don’t have to handle the financial burden of the hacks, a person familiar with the matter told NBC News.

Amazon spokesman Erik Fairleigh told NBC News in a statement that the company, “is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com.”

“There have always been bad actors in the world; however, as fraudsters get smarter so do we,” he said.

Amazon’s statement also suggested people monitor their accounts on a regular basis and turn on two-factor authentication, sending a code to their phone and adding an extra layer of security.

The hacks appeared to stem from stolen credentials from other places that were then sold on the dark web.

Hackers then likely used a method called “credential stuffing,” trying out stolen or leaked usernames and passwords on other different popular websites to try to login there too, Jeremiah Grossman, chief of security at SentinelOne told NBC News.

“This particular attack is almost two decades old. You shouldn’t allow a merchant account to sit dormant for long,” Grossman told NBC News.

Amazon’s Marketplace has two million sellers — and an estimated one hundred thousand pulling in six figures, making it a “juicy target and complex to manage from a security point of view,” said Matthew Gardiner, a cybersecurity strategist at email security company, Mimecast.

“Whomever bears ultimate responsibility for the Amazon attacks, what seems clear is that the security controls in place are not sufficient for the risk,” he said.



%d bloggers like this: