At a glance.
- Wireless carriers apparently violated US Federal law in selling customer location data.
- Trello boards mistakenly set to "public" reveal sensitive information.
- Social Captain left user Instagram credentials exposed in plaintext.
- 2015 Ashley Madison breach resurfaces in a well-informed blackmail campaign.
FCC concludes carriers violated the law in sharing user geolocation information.
The US Federal Communications Commission today informed the House Committee on Energy and Commerce that the FCC's Enforcement Division had concluded that "one or more wireless carriers apparently violated Federal law" in their disclosure of real-time customer location data. TechCrunch says that they became aware in May of 2018, and reported, that all major wireless carriers were selling geolocation data to resellers.
Making Trello boards public exposes sensitive information.
Trello, the widely used collaboration platform, comes set by default to "private," but users all too often set their collaboration boards to "public," at which point they're indexed by search engines and fully available to the "public." The information exposed on the public boards, Naked Security reports, often has serious implications for user privacy--names, contact information, salary and financial data, performance reviews, and so forth. Trello users should review the settings of their boards and set them to "private" (there may be a good reason for setting a board to "public," but such cases are rare outliers). They should also be aware that data exposed earlier may well persist online in cached form.
Goosing follower numbers, but with a side of insecurity.
Social Captain, a start-up that offers to increase an Instagram account's following, was found, TechCrunch says, to be storing Instagram usernames and passwords in readily accessible plaintext. An unnamed security researcher provided TechCrunch with a scraped database that included about ten-thousand user records. Some forty-seven-hundred of those were full Instagram credentials--both username and password. After being alerted by TechCrunch, Social Captain prevented users from directly accessing other users' profiles, but that's a partial solution at best. Instagram recommends that people who signed on with Social Captain change their passwords, and it's taking a look at Social Captain's activities generally.
More delayed fallout from the Ashley Madison breach.
Ashley Madison, the adultery facilitation site breached in 2015, has returned to the news. Researchers at Vade Secure have found data stolen in that hack resurfacing in highly specific blackmail attempts against former customers of the online networking service. The extortion emails are rich in the sort of corroborative detail normally missing from the sort of spray-and-pray scareware pop-up that says the police are on to you for visiting sites you shouldn't.
They include details on users' credit card transactions, descriptions of specific purchases, and such things as the interests and preferences the users reported when they first signed up. The blackmail is clever in that the ransom demand is contained in a password protected pdf attached to the email, the better to make it past filters.