Over a Billion Stolen Credentials Amassed

Earlier this month, the NY Times reported that a Russian crime ring has amassed 1.2 billion user name and password combinations and more than 500 million email addresses from the Internet. According to security firm Hold Security, many of the sites from which the credentials were stolen are still vulnerable.

There is a concern among the security community that keeping personal information out of the hands of thieves is increasingly a losing battle. Last December, 40 million credit card numbers and 70 million addresses, phone numbers and additional pieces of personal information were stolen from Target by Eastern European hackers. This latest discovery, however, prompts security experts to call for improved identity protection on the web.

Read the full story online.

As a result of the large amount of usernames and passwords that have fallen into the hands of criminals, one NY Times reporter came up with a two-step plan to prevent hackers from getting into his online accounts. He contacted all of the companies with which he does online financial transactions to find out if they support multi-factor authentication. He writes about his experience here.

If you are concerned about your online accounts and whether they are secure enough, you may want to take some similar steps or be proactive in other ways. One suggestion I would make — until all companies offer multi-factor authentication — is to update your passwords on a regular basis and manage them using a password storage manager, either LastPass, 1Password or KeePass.

The eBay Data Breach

On May 21 eBay announced that it suffered a major data breach, exposing personal data of up to 233 million registered users. The company is now being investigated by three states with a joint probe into its security practices.

eBay has been criticized for taking three months to notice the breach and then a few more weeks before making an announcement. No mass email was sent, but they did post a warning to their website, originally with a “learn more” link that lead to a blank page (now fixed).

eBay is telling all customers to reset their password. If members used their password at other sites, they should change their passwords for those sites as well.

The data was stolen via a number of compromised employee credentials, according to eBay. The thieves were then able to access the company’s corporate network.

What did the thieves get? There was no financial or other confidential personal information in the compromised database. But the thieves did get hold of real names, email addresses, phone numbers and home addresses of customers in addition to their passwords, which were encrypted.

Read the story in the news here and here.

The Story Behind the Breach at Neiman Marcus Group

Last week I shared the Business Week article that explains how Target stores were breached and credit and debit card information was stolen. This week I found a similar article on the breach at Neiman Marcus stores.

It is almost certain that the Neiman Marcus breach was made by a different group of hackers than those who made the Target breach because of the different method and code style used. According to the investigation, card data was stolen from July through October, 2013. The number of cards exposed is less than 350,000, a much smaller number than first estimated.

Similar to the Target attack, the hackers moved unnoticed in the company’s computers for several months, sometimes tripping hundreds of alerts daily. While the anomalous behavior was logged on the company’s centralized security system, it did not recognize the code as malicious, or expunge it. It is unclear why the alerts weren’t investigated at the time.

According to the investigative report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred. Data-security requirements were tightened again this year after a rash of thefts that also included Target and Michaels Stores.

Read the full story at businessweek.com.

FTC May Charge Target for Failure to Protect

Following up with the Target Inc breach, the FTC has been in contact with the corporation, but has failed to comment on whether it has launched a formal investigation. But former commission officials say the agency is taking a hard look at the incident, which resulted in 40 million credit card numbers falling into the hands of cyber criminals.

The FTC polices data security under its legal authority over “unfair” business practices. Companies have a responsibility to take “reasonable and appropriate” steps to protect the data they collect from consumers, according to FTC lawyers.

Congress is considering legislation that would expand the FTC’s authority to allow it to fine companies for inadequate data security. Currently the agency can force a company to change its practices, but it cannot punish companies.

Read the full story in the news.

The Story Behind the Breach at Target, Inc.

Businessweek.com has written an in-depth article and posted a video explaining how Target Stores were breached and their systems infected with malware, leading to one of the biggest data thefts in retail history. According to the investigation conducted after the discovery of the theft, Target employees failed to respond to several alerts made by their security system, provided by FireEye. Had Target security staff responded appropriately to the alarms, they could have prevented the transmission of the stolen credit card data.

Even without human intervention, the breach could’ve been stopped, according to the article. “The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off.” While not unusual, it puts pressure on a team to quickly find and neutralize the infected computers.

It was clear, according to the article, that Target was getting warnings of a serious compromise; even the company’s antivirus system by Symantec, identified suspicious behavior over several days around Thanksgiving – pointing to the same server identified by FireEye.

Read the full story on Businessweek.com

The University of Maryland Data Breach

University of Maryland President Wallace D. Loh has disclosed a breach of a university database that compromised personal information of more than 300,000 students and staff members.

The incident affects anyone who was associated with the university’s College Park and Shady Grove campuses dating back to 1998. The exposed data include birth dates, Social Security numbers (SSNs) and school ID numbers, but not financial, academic, or health data.

Forensic investigators are examining the breached files and logs. University CIO Brian Voss said the intruder copied the information in the database.

Read the full story in the news.

Yahoo! User Data Compromised

Last week Yahoo announced that usernames and passwords were stolen, belonging to about 450,000 of its email customers. As a result, Yahoo believes attackers have been able to gather personal information on its email customer’s contacts.

Users who were affected will get a prompt to change their passwords when they log in, and Yahoo also sent out email and SMS notifications. It is probably not a bad idea for all Yahoo email customers to reset their passwords.

Yahoo believes, based on their findings, that the usernames and passwords were accessed from a third-party database compromise and have no evidence that they were obtained from Yahoo’s systems. That third-party has not been identified, but experts note that attackers are finding ways to breach their targets by cracking systems that belong to the target’s business partners.

Read the full story online.

Follow

Get every new post delivered to your Inbox.

Join 60 other followers