Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

New Hack Attempts To Access Office 365 Passwords

Companies are getting better at detecting and fending off brute force attacks. Depending on how big, and how hard-hitting the attack is, it can still get through, of course, but the main problem with such an attack is that it’s impossible to miss. The moment it starts, security professionals know what’s going on, and can immediately spring into action.

Of course, the hackers know this, and have been looking for ways around the problem. How can they launch an attack that will go unnoticed?

Now, it seems that they have a viable answer: low and slow.

It requires patience. Rather than hitting hard and all at once, this new attack vector utilizes a small number of machines and a low attack frequency in order to stay under the radar. Often, the hackers orchestrating such attacks will spread them out over weeks, or even months, and alternate between several different companies on the thinking that if it doesn’t trigger any alarms, then the security folks won’t go on high alert, and they can keep chipping away until they get lucky and break in.

While it hasn’t worked so far, the new approach did manage to go unnoticed for a number of months before the pattern was detected by SkyHigh Security.

The attack they discovered is an especially clever one. It has been going on since May, and it seeks to target email accounts not controlled by individuals, but used to fulfill other corporate functions. These are things like service automation, marketing and other system accounts.

The reason? Most of these don’t use two-factor authentication, and most people who check those types of accounts don’t expect to see malicious emails in those inboxes, and are thus more likely to click on embedded links, even if sent by accounts that are unrecognized.

Nothing is currently known about the group behind the attacks. They are focused on high-value targets in the financial services and medical fields and attempted to gain access to Office 365 accounts, which would give them access to a wealth of sensitive corporate information.

Although there’s no evidence that the attack has succeeded to this point, it is as clever as it is insidious, and definitely something to be aware of. From a practical standpoint, the strongest defensive move you can make is to be sure that all of the aforementioned types of email accounts are using two-factor authentication.

Top Subject People Fall Victim To Is – Data Breach Notification

For hackers around the world, success breeds more success, it seems.

A company called KnowBe4 has released a report entitled “Top Ten Global Phishing Email Subject Lines For Q3 2017.” To prepare it, they analyzed email subject lines from simulated phishing tests to determine what the most effective approach was.

Their findings were that “Official Data Breach Notification” was the hands-down winner, generating far more click-throughs than any other.

Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer had this to say about the report:

“Phishing attacks are responsible for more than 90% of successful cyber-attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats.

We see urgency and fear of a breach as the drivers. We have over 1400 templates and a concentration of themes so we know what is highly effective. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders, and their clients to prevent phishing schemes.”

Wise words, and the first step on the path to prevention is knowing what triggers are the most effective, which makes the KnowBe4 report especially valuable to data security teams, regardless of what business your company is in.

The irony, however, is inescapable.

The reason that “Official Data Breach Notification” is such a devastatingly effective phishing headline is simply that the hackers have been devastatingly effective. Barely a day goes by that we are not greeted by some grim headline and a news story recounting the woes of yet another company suffering from yet another massive breach resulting in hundreds of thousands, millions, or more consumer data files stolen.

They are, in a very real sense, leveraging the power of their own success to become even more successful, and that’s sadly not likely to change anytime soon.

Files Containing Nearly 1.5 Billion Passwords Leaked On The Internet

Researchers from the security firm 4iQ have made a disturbing discovery on the dark web. A massive repository has been discovered that contains a staggering 1.4 billion usernames and passwords in plain text.

The repository is well organized, with each letter of the alphabet having its own directory to facilitate rapid search, and 4iQ has tested a subset of the data it contains and found an alarming percentage of the usernames and passwords to be viable.

It should be noted that this data isn’t from a new, previously unknown breach, but rather, an aggregation of data stolen from 252 previous breaches. The CTO of 4iQ, Julio Casal, had this to say about the discovery:

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of them have been verified to be true. The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo lists that exposed 797 million records. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The usernames and passwords come from a wide range of sources including Runescape, Minecraft, RedBox, Badoo, Zoosh, Last.FM, YouPorn, Netflix, MySpace, LinkedIn, Pastebin, Bitcoin and many others.

What’s even worse is that as large as this collection is, it’s really just the tip of the spear. A shocking percentage of users have the bad habit of using the same credentials across multiple web properties, so it’s a statistical certainty that many of the passwords contained in this file will allow hackers access to much more than just the web properties the passwords were stolen from.

If you’re not yet in the habit of changing your passwords on a regular basis, you should begin doing so immediately, and if you’re one of the hundreds of millions of people who use the same password on multiple sites, it’s well past time to break that habit.

Data Breach Costs Hilton $700,000 In Settlement

Hilton Hotels is in hot water, having recently been fined a hefty $700,000 in an agreement with the states of New York and Vermont over the company’s mishandling of a pair of recent data breaches.

According to official statements released by investigators, the company was found to have made two glaring errors: failing to maintain reasonable data security, and failing to notify victims of the data breach in a timely manner.

This second was seen as being particularly egregious, given that the company waited more than nine months before notifying its customers of the first of the two breaches. Eric T. Schneiderman, the Attorney General of the state of New York, said:

“Businesses have a duty to notify consumers in the event of a breach and protect their personal information as securely as possible.

Lax security practices like those we uncovered at Hilton put New Yorkers’ credit card information and other personal data at serious risk. My office will continue to hold businesses accountable for protecting their customers’ personal information.”

According to the particulars of the agreement, New York State will receive $400,000 of the damages, and Vermont will receive $300,000.

The lesson here is as simple as it is painful. If you don’t take proper precautions and implement reasonable security when it comes to protecting your customers’ data or inform your impacted customers in a timely fashion, you’ll eventually pay the consequences.

Those consequences took two forms. First and most obvious to the eye is the hefty fine itself. Although Hilton is a large corporation with deep pockets, $700,000 isn’t exactly pocket change, and it’s bound to sting. Second, the company lost an enormous amount of face with its customers and tarnished its image and reputation. The lost trust arising from their mishandling will take far longer to rebuild than it will for the company to make up the financial loss represented by the fine.

File this one away under how not to handle a data breach.

Report Shows Small Percentage Of Employees Know About Ransomware

The statistics are alarming. Ransomware is fast becoming the favored hobby horse of hackers worldwide. Barely a week goes by that a new strain isn’t introduced into the wild, with expensive, and often tragic consequences. Right now, the average amount paid by office workers impacted by a ransomware attack is $1400, a figure that continues to creep higher.

What’s perhaps even more alarming, however, is the fact that although companies the world over have made a concerted effort to sound the alarm on the danger this type of software represents, no more than 30 percent of knowledge workers have any real understanding of the dangers that ransomware poses, according to Intermedia’s 2017 Data Vulnerability Report.

One of the most curious findings of the report was the fact that employees more often shoulder the costs of ransomware payments than employers do, with fully 59 percent of impacted employees paying the ransom out of their own pockets.

Unfortunately, small and medium-sized businesses are particularly vulnerable to this large and growing threat. Jonathan Levine, Intermedia’s CTO, had this to say on the topic:

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat. This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must afford, and hackers realize this.”

Perhaps worst and most distressing of all is the fact that 19 percent of the time, even when a ransom is paid, the files are never unlocked, making it a bad gamble. If you run a company of any size, make sure your employees from top to bottom fully appreciate the threat this attack vector poses.

New Ransomware “BadRabbit” Starting To See Infections In The US

You may not have heard of the new strain of ransomware known as BadRabbit. If you haven’t, it’s because the overwhelming percentage of BadRabbit attacks have been occurring in Russia, which accounts for 71 percent of all known infections at present. Unfortunately, there have been a few infections reported in the United States, which may be a harbinger of things to come.

The new threat is functionally similar to NotPetya, which not only encrypts the files on a target system, but also then encrypts the file system, which gives the victim a lovely ransom lock screen before the OS can even boot up.

Fortunately, there are simple things you can do to help protect yourself from this latest threat.

Event Log Monitoring

Windows Defender is capable of recognizing the threat, provided you’re using detections update 1.255.29.0 or higher. If you haven’t updated to this version, do so immediately.

Once that is done, be aware that BadRabbit will schedule tasks using the names “Viserion,” “Rhaegal” and “Drogon.” If you see any of these, it’s a clear sign of an infection in process on your network. Administrators can attach scheduled tasks to events bearing these names, running specified commands should one of these be detected. For example: initiating a “shutdown -a” command.

Obviously, this stuff can be quite complicated. We would highly recommend you reach out to us to not only scan your network, but to also evaluate your entire network for potential threats or vulnerabilities. Ransomware is a real threat that is literally shutting down businesses, and this is on a global scale. If you aren’t being proactive against hackers, you can easily find yourself locked out of your own network.

BadRabbit is just the latest in hackers’ arsenal of ransomware and threats on your network. If you are as concerned as we are, give us a quick call.

Facebook Has A Major Problem With Fake Accounts

Facebook has been in hot water with evidence mounting that hordes of fake accounts were used to spread misinformation about the recent presidential election.

In addition to sparking congressional hearings, it also prompted Facebook and the other major social media companies to do a deep dive into their own active accounts and get a better sense of just how large and pervasive the problem was.

According to Facebook’s most recent quarterly earnings report, the problem turned out to be a fair bit larger than was first imagined. The company changed their methodology for tracking and identifying fake accounts, which has led to the grim discovery that some 13 percent of the company’s accounts are duplicates, a figure that doesn’t take into account the more than 60 million outright bogus accounts.

According to Facebook’s founder and CEO, Mark Zuckerberg, from in the earnings report: “We’re serious about preventing abuse on our platforms. We’re investing so much in security that it will impact our profitability. Protecting our community is more important than maximizing our profits.”

The problem is going to wind up costing Facebook in a number of ways. First and most obvious, of course, is the unwanted attention caused by the congressional hearings themselves, and the loss of trust it creates in the platform.

More immediately, there’s also the factor addressed directly by Zuckerberg in his statement. The company is spending a ton of money on improving security and rooting out and shutting down duplicate and fake accounts. As he indicated, it’s having an impact on their profitability.

It’s also impacting the company’s ability to generate ad revenue, which, of course, is based on the number of actual users the company can claim are viewing ads. With more than a quarter of a billion duplicate and fake accounts in the system, the network is simply less attractive to advertisers.

There are no simple solutions here, but kudos to Facebook for making significant investments to rein the problem in.

Uber Paid To Hide Massive Data Breach From Public

It has recently come to light that the company was hacked in 2016 in a massive breach that exposed the personal information of more than 57 million Uber users and drivers. A wide range of data was stolen. Where users were concerned, names, email addresses and phone numbers were compromised.

As bad as that is, the problem was even worse for more than 600,000 of the company’s drivers who had their driver’s license numbers hacked, too.

Standard protocol is that when a breach like this occurs, the company will engage law enforcement officials as appropriate, hire a third-party security firm to help with the forensic investigation and notify their consumers.

Unfortunately, that’s not the path Uber chose to take. Instead, they paid the hackers $100,000 in exchange for keeping quiet about the hack and deleting the stolen data.

The company kept the incident under wraps for more than a year, but eventually, word of the attack leaked out, and the fallout has been catastrophic. Uber’s CEO Dara Khosrowshahi has asked for the resignation of the company’s Chief Security Officer, Joe Sullivan, and one of his deputies, Craig Clark, both of whom worked to keep the attack quiet.

In a formal statement, Khosrowshahi had this to say:

“None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

As is common in the aftermath of events like these, Uber is offering its impacted customers a free year’s worth of credit monitoring services and will likely force password changes for its app users. More than a year too late, but it’s something.

File this away under how not to handle a data breach.

2017 List Of Most Used Passwords Released

SplashData has released their latest annual report on the most commonly used passwords. Unfortunately, the more things change, the more they stay the same.

By now, everyone knows that the number of hacking attempts and high-profile data breaches are on the rise. Everyone has heard, on more than one occasion, how important it is to not use the same password across multiple web properties, to enable two-factor authentication if and where it is offered and to use passwords that contain a combination of letters, numbers and symbols in order to make them more difficult to crack.

Although these are things that everyone knows, the wisdom embedded in the advice above often goes unheeded. According to the data collected by aggregating passwords leaked in data breaches over the past year, the most commonly used password for 2017 is “123456,” followed closely by the ubiquitous “password.” These are unchanged from last year.

The rest of the top 25 list contains a mix of the old and the new, including:

  • 12345678
  • Qwerty
  • 12345
  • 123456789
  • Letmein
  • 1234567
  • Football
  • Iloveyou
  • Admin
  • Welcome
  • Monkey
  • Login
  • Abel123
  • Starwars
  • 123123
  • Dragon
  • Passw0rd
  • Master
  • Hello
  • Freedom
  • Whatever
  • Qazwsx
  • And Trustno1

If you make use of any of these passwords, we urge you to change them immediately. As important as data security is and as much as is at stake, you’re putting yourself, your friends and your coworkers at grave risk by using such easily cracked passwords.

SplashData’s CEO Morgan Slain had this to say on the topic:

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use. Hackers are using common terms from pop culture and sports to break into accounts online because they know how many people are using those easy-to-remember words.”