Data Breach

Auto Added by WPeMatico

Web host Hostinger says data breach may affect 14 million customers

Hostinger said it has reset user passwords as a “precautionary measure” after it detected unauthorized access to a database containing information on millions of its customers.

The breach is said to have happened on Thursday. The company said in a blog post it received an alert that one of its servers was improperly accessed. Using an access token found on the server, which can give access to systems without needing a username or a password, the hacker gained further access to the company’s systems, including an API database. That database contained customer usernames, email addresses, and passwords scrambled with the SHA-1 algorithm, which has been deprecated in favor of stronger algorithms after researchers found SHA-1 was vulnerable to spoofing. The company has since upgraded its password hashing to the stronger SHA-2 algorithm.

Hostinger said the API database stored about 14 million customers records. The company has more than 29 million customers on its books.

The company said it was “in contact with the respective authorities.”

hostinger

An email from Hostinger explaining the data breach. (Image: supplied)

News of the breach broke overnight. According to the company’s status page, affected customers have already received an email to reset their passwords.

The company said that financial data was not compromised, nor was customer website files or data affected.

But one customer who was affected by the breach accused the company of being potentially “misleading” about the scope of the breach.

A chat log seen by TechCrunch shows a customer support representative telling the customer it was “correct” that customers’ financial data can be retrieved by the API but that the company does “not store any payment data.” Hostinger uses multiple payment processors, the representative told the customer, but did not name them.

Chief executive Balys Kriksciunas told TechCrunch that the remarks made by the customer support representative were “misleading” and denied any customer financial data was compromised. A company investigation into the breach, however, remains under way.

Updated with remarks from Hostinger.

Related stories:

Capital One’s breach was inevitable, because we did nothing after Equifax

Another day, another massive data breach.

This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Consumers and small businesses affected are those who obtained one of the company’s credit cards dating back to 2005.

That includes names, addresses, phone numbers, dates of birth, self-reported income and more credit card application data — including over 140,000 Social Security numbers in the U.S., and more than a million in Canada.

The FBI already has a suspect in custody. Seattle resident and software developer Paige A. Thompson, 33, was arrested and detained pending trial. She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.

Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.

Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action.

Equifax’s chief executive Richard Smith “retired” before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened. An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine — which amounted to about 20% of the company’s annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly.

Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before — technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

Mark Warner, a Democratic senator serving Virginia, along with his colleague since turned presidential candidate Elizabeth Warren, was tough on the company, calling for it to do more to protect consumer data. With his colleagues, he called on the credit agencies to face penalties to the top brass and extortionate fines to hold the companies accountable — and to send a message to others that they can’t play fast and loose with our data again.

But Congress didn’t bite. Warner told TechCrunch at the time that there was “a failure of the company, but also of lawmakers” for not taking action.

Lo and behold, it happened again. Without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.

Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.

The Equifax incident should have sparked a fire under the credit giants. The breach was the canary in the coal mine. We watched and waited to see what would happen as the canary’s lifeless body emerged — but, much to the American public’s chagrin, no action came of it. The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.

Companies continue to vacuum up our data — knowingly and otherwise — and don’t do enough to protect it. As much as we can have laws to protect consumers from this happening again, these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.

We had an opportunity to stop these kinds of breaches from happening again, yet in the two years passed we’ve barely grappled with the basic concepts of internet security. All we have to show for it is a meager fine.

Thompson faces five years in prison and a fine of up to $250,000.

Everyone else faces just another major intrusion into their personal lives. Not at the hands of the hacker per se, but the companies that collect our data — with our consent and often without — and take far too many liberties with it.

100 million Americans’ data accessed in massive Capitol One hack

TwitterFacebook

Well, this is not good. 

Finance services giant Capital One announced Monday that there had been a major cybersecurity incident directly affecting 100 million Americans and six million Canadians. Specifically, a host of their customers’ private financial data had been accessed by a hacker. 

According to a statement issued by the company, two separates breaches occurred — once on March 22 and another on March 23 — and were discovered on July 19. 

Bloomberg reports that a Seattle woman has been arrested and accused of hacking Capital One’s server at an unnamed cloud-computing company.

Notably, it seems that although the customer data in question was encrypted, the hacker was able to decrypt it.  Read more…

More about Capital One, Data Breach, Tech, and Cybersecurity

Scientist at centre of Facebook scandal didn’t think data would be used to target voters

TwitterFacebook

The man who helped gather Facebook users’ information for Cambridge Analytica claims that he didn’t think it’d be used to target voters.

Data scientist Aleksandr Kogan, who also goes by the surname of Spectre, told CNN‘s Anderson Cooper on Tuesday that he was “heavily siloed” from knowing about the UK data firm’s clients and funders, who are linked to the 2016 Trump election campaign.

“I found out about Donald Trump just like everybody else, through the news,” Kogan told the program. 

Exclusive: Aleksandr Kogan, the data scientist who worked with Cambridge Analytica to harvest data, tells @AndersonCooper he didn’t know they would use the data to target voters. Full interview, tonight on 9p ET, on @CNN https://t.co/9L3itGMW79 pic.twitter.com/z4ny9vytCp

— Anderson Cooper 360° (@AC360) March 21, 2018 Read more…

More about Facebook, Social Media, Data Breach, Cambridge Analytica, and Social Media Companies

Singapore's Ministry of Defence suffers its first successful cyberattack

TwitterFacebook

A cyberattack on the Defence Ministry of Singapore’s internet system (I-net) has resulted in the personal data of 850 employees and conscripted military personnel being stolen.

The stolen data includes national identity (NRIC) numbers, telephone numbers and dates of birth.

No classified military data was stolen in the breach of the I-net system, the government said, as reported by Channel NewsAsia.

The Ministry of Defence (Mindef) added that the purpose of the hack may have been “to gain access to official secrets.”

The attack, which originated online, “appeared to be targeted and carefully planned,” Mindef deputy secretary David Koh said. Read more…

More about Data Breach, Singapore, Cyberattacks, Hacking, and World

Powered by WPeMatico