At a glance.
- Credential stuffing campaign against J. Crew customers disclosed.
- Incident leads Tesco to re-issue customer loyalty cards.
- Customer data at risk in T-Mobile employee email compromise.
- Cathay Pacific fined over customer data exposure.
- GCHQ's advice on webcams.
J. Crew customer data exposed in credential stuffing incident.
Clothing retailer J. Crew has warned some customers that it sustained a data breach in April of 2019. The store disabled an unknown number of accounts that were exposed in the attack. It’s asked the affected customers to contact J. Crew's Customer Care Center to restore those accounts.
BleepingComputer says the incident was a credential stuffing attack. In credential stuffing attacks, the bad actors use big collections of username and password combinations which they try against targeted accounts. Sometimes they get hits. The tactic works because people tend to use the same usernames and passwords across multiple accounts. If one account is compromised, the credentials can be tried elsewhere. There’s a thriving underworld market for stolen credentials, and credential stuffing is a big reason why that particular crime pays.
In addition to writing affected customers, J. Crew has also notified California’s Attorney General. TechCrunch wonders why it took J. Crew almost a year to disclose the breach. A spokesman told the news outlet that “routine web scanning” detected improper access, and customers were “promptly notified," but there’s some vagueness here--it’s unclear, for example, when the scanning took place, or when the anomalies were detected.
Credential stuffing affects Tesco loyalty program.
The big British supermarket chain Tesco has responded to a credential-stuffing campaign against shoppers who use its loyalty cards by re-issuing some six-hundred-thousand new cards to its customers. Tesco told the BBC that its own systems had not been breached, but that customer loyalty accounts had been, and that criminals may have attempted to steal benefits customers had earned through their purchases.
Compromise of T-Mobile employee email accounts could expose some customer data.
T-Mobile has warned customers that an attack on its email provider resulted in the compromise of a relatively small number of employee email accounts. This is of concern to customers because some of the employee emails that could have been accessed by the attackers contained customer information. That information might have included, T-Mobile said, “customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information.” Credit card and Social Security numbers were not, the company added, at risk. They’ve closed the breach and are working with Federal law enforcement agencies to investigate.
Airline fined for exposing customer data.
According to the BBC, Cathay Pacific Airways has been fined £500,000 for failure to protect its customers' data. The UK's Information Commissioner's Office said the airline's failure to ensure "appropriate security" between October 2014 and May 2018 exposed the data of some 9.4 million persons. Among the data at risk were names, passport details, dates of birth, phone numbers, addresses and travel history.
Britain's GCHQ invites you to keep your webcam from oversharing.
Among other advice security services are proffering these days comes this: three quick and easy steps to keeping your webcam from displaying you all over the Internet, as reported by the Register:
- Replace the default password with a good password of your own.
- Regularly updating your security software.
- If you don't remotely access your camera, then disable that feature.
All good advice. They don't mention putting an opaque piece of tape over the camera, but you could do that, too. Just set it and forget it.