At a glance.
- DeKalb County email account exposed.
- Bookseller suffers data theft.
- Could vaccine passports cross privacy borders?
- WeTransfer phishing scam.
- Responses to Facebook data leak.
DeKalb County email account exposed.
The DeKalb County Department of Innovation and Technology, located in the US state of Georgia, was the victim of a data breach, the Champion reports. An email account for the county’s Tenant-Landlord Assistance Coalition program was stored on a server that was infiltrated in an “international cyberattack.” A spokesperson stated that the account and the server were shut down as soon as the attack was detected, and an investigation is underway to determine what data was accessed.
Throw the book at him.
OpIndia reports that a hacker allegedly stole data from India-based online secondhand bookseller Bookchor.com. According to a post on an underground hacking forum, the cyberthief breached the website and swiped the data of more than 500,000 users. The data dump included IP addresses, phone numbers, and street addresses, and passwords encrypted using unsalted MD5 hashing, which is easy to decrypt using tools readily available on the web.
Could vaccine passports cross privacy borders?
Money reports, as the availability of the COVID-19 vaccine gives the world a light at the end of the pandemic tunnel, a virtual permission slip is being introduced: the vaccine passport. This digital pass, in the form of a QR code on your smartphone, would serve as evidence that the owner is vaccinated, and many see it as a way to prevent future outbreaks as we emerge from quarantine. Seventeen initiatives are being helmed by private companies and nonprofit organizations, like the Vaccine Credential Initiative (VCI) backed by Microsoft and Salesforce, and another under the auspices of the World Health Organization. J.P. Pollak, a co-founder of VCI’s Commons Project, points out that a vaccine passport would save individuals from exposing private data on paper vaccine records. However, the apps being created to store these passports would require access to each user’s private medical data, which raises concerns among privacy experts and could make users wary (as many country’s tepid response to contract tracing apps affirms). Though governments like the Biden administration are offering guidance over vaccine passport initiatives and have stated that user privacy is key, the programs are being led by the private sector, which leaves the data vulnerable. Jeff Gary of Georgetown Law’s Institute for Technology Law & Policy states “Once private companies, instead of just the government, have a hold of your data, you don’t have a whole lot of management or restriction on how a company can use that data.” One possible solution: make the app code open-source, so security experts can verify exactly how the data is being used.
WeTransfer phishing scam.
Avanan reports that a phishing operation is targeting users of WeTransfer, a popular file-sharing app. The victim receives a fake email that indicates someone is attempting to share a file. A link within the email directs the victim to a convincing replica of the WeTransfer website; only the invalid URL gives it away. The site asks the target to enter their credentials to retrieve the shared files, allowing scammers to harvest the victim data.
Responses to Facebook data leak.
As the CyberWire noted yesterday, the data of 533 million Facebook users -- data stolen in a 2019 breach -- resurfaced this week, posted online for free. In the wake of this massive data leak, several sources weigh in:
- CNET offers tips on how to determine if your data has been shared on the dark web. Mozilla’s Firefox browser has a free email address monitoring service, and Google’s Password Checkup tool can tell you if your login credentials have been exposed.
- Several experts gave Channel Futures their take on the significance of the reemergence of the Facebook data, despite the initial leak being fixed in 2019. “The breach was probably resold multiple times since then until the price lowered enough that a user decided to publicly expose it to generate a small profit and increase reputation,” says Ivan Righi, cyber threat intelligence analyst at Digital Shadows. “While the data may be old, it still holds a lot of value to cybercriminals.”
- Pedestrian TV offers advice to the 7.3 million Australians impacted by the breach, explaining some of the scams that might result.
- Business Today notes that Facebook CEO Mark Zuckerberg’s own data was included in the leak, and his phone number indicates that he uses chat app Signal, a more secure competitor to the Facebook-owned WhatsApp.
- Silicon Republic reports that approximately 1.5 million Irish users were exposed in the leak. Facebook is working with Ireland’s Data Protection Commission to confirm that the data is indeed the same data stolen in 2019 in order to avoid fresh penalties.
- SC Media asks whether Facebook’s business model, which many argue treats user data as a product to be sold, made the platform an easy target for cybercriminals.