Security

In a Friday SEC filing providing an update on its investigation of a recent security incident (that it will not call a breach, based on justifications that remain unclear), 23andMe says a bad actor was able to access 0.1 percent of the company’s accounts through credential stuffing. According to TechCrunch’s estimates, that 0.1 percent figure translates to around 14,000 accounts.

However, those accounts were used to access a “significant number of files containing profile information about other users’ ancestry” that users share when opting in to its DNA Relatives feature. How many is “significant”? 23andMe didn’t say.

The updates fix two WebKit vulnerabilities that “may have been exploited against versions of iOS before iOS 16.7.1,” according to an Apple support page. macOS Sonoma 14.1.2 is out, too, with fixes for the same vulnerabilities.

Long before the Sam Altman CEO Shuffle, OpenAI was already ducking questions about the training data used for products like ChatGPT. But 404 Media points out this report from AI researchers (including several from Google’s DeepMind team) who spent $200 and were able to pull “several megabytes” of training data just by asking ChatGPT to “Repeat the word ”poem” forever.”

Their attack has been patched, but they warn that other vulnerabilities may still exist.

The underlying vulnerabilities are that language models are subject to divergence and also memorize training data. That is much harder to understand and to patch. These vulnerabilities could be exploited by other exploits that don’t look at all like the one we have proposed here.

The identity management company now says that a report containing every support customer’s name and email address was stolen in a hack from two months ago:

While we do not have direct knowledge or evidence that this information is being actively exploited, we have notified all our customers that this file is an increased security risk of phishing and social engineering.

Not a good look for Okta, which is entrusted with securing thousands of major companies worldwide, including T-Mobile, Sonos, and OpenAI.

After launching its end-to-end encrypted cloud storage service on Windows in July, Proton has announced that it’s bringing it to macOS as well.

That means you can access all your stored files and photos from the macOS app, and it will sync across the Proton Drive apps for the web, Windows, Android, and iOS. Proton Drive is free for 1GB of data, with plans starting at $4.99 / month for 200GB.

The company behind the popular Blender 3D creation software has been under attack since November 18th according to Blender COO Francesco Siddi, forcing multiple web services offline.

Blender websites like code, developer, docs, devtalk, download, and wiki remain unavailable, but most Blender.org functionality has since been restored. Siddi said in his latest update that the attack has “slowed.”

Update, November 22nd, 7.07AM ET: Added latest status information.

Senator Ron Wyden (D-OR) sent a letter to US Attorney General Merrick Garland with concerns about the “long-running dragnet surveillance program” that has allowed the government to obtain “trillions” of phone records for years, as first reported by Wired.

The letter states the White House pays AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Senator Wyden expresses concerns about the legality of the surveillance program, which was first made public in 2013, and urges the public release of information about the project.

As Recorded Future News explains, a financial software company called MeridianLink has confirmed “a cybersecurity incident,” which isn’t uncommon.

What is unusual is the AlphV/BlackCat ransomware gang allegedly trying to pressure the company by filing a report (included below) with the Securities and Exchange Commission (SEC) accusing MeridianLink of failing to disclose a breach. However, the new rules requiring disclosure have some loopholes, and, they don’t take effect until next month.

Samsung has disclosed a data breach affecting some customers of its UK e-store between July 2019 and June 2020, according to emails sent to customers shared on X, and verified by TechCrunch. Although financial data or passwords weren’t impacted, contact information like names, phone numbers, email addresses, and postal addresses were. The UK’s data watchdog, the Information Commissioner’s Office, is “making enquiries.”

Sources tell Reuters the FBI “struggled to stop” the group of hackers that waged attacks on MGM and Caesars Entertainment in September — even though the agency knew the identities “of at least a dozen members” for more than six months. Some of the hackers are even based in the US, Reuters reports.

McLaren Health Care says a ransomware attack resulted in the theft of personal data, including names, SSNs, date of birth, and medical information for millions. The breach lasted from July 28th through August 22nd this year.

Bleeping Computer spotted the details on Friday, in a PDF attached to McLaren’s notification of affected Maine residents to the state’s Attorney General’s office.

Reuters writes today that a “serious and ongoing” cybersecurity incident hit port operator DP World Australia, which controls 18 ports in the country. Home Affairs Minister Clare O’Neil said the company “manages almost 40% of the goods” shipped to and from Australia.

According to Reuters, the country’s cyber security coordinator says the situation could “continue for a number of days.”

Cybersecurity blogger Brian Krebs wrote today — a little over a year from his 2022 article describing the same issue — that anyone can usurp someone else’s Experian credit account simply by creating a new account.

He described what happens after you do so, based on his own experience regaining his own stolen Experian account:

After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

The state government disclosed the breach in a notice posted to its website, stating that social security numbers, birthdates, and driver’s license numbers “may have been involved” in the incident:

On May 31, 2023, the State of Maine became aware of a software vulnerability in MOVEit, a third-party file transfer tool owned by Progress Software and used by thousands of entities worldwide to send and receive data. The software vulnerability was exploited by a group of cybercriminals and allowed them to access and download files belonging to certain agencies in the State of Maine between May 28, 2023, and May 29, 2023.

It adds that anyone who wants to know whether their data was affected by the breach can contact Maine’s dedicated call center.

The number of fake nudes on the top 10 websites that host AI-generated porn has increased by 290 percent since 2018, according to a recent report by The Washington Post, alongside a 149 percent rise in reported “sextortion” victims since 2019.

It’s unclear how many sextortion images are AI-generated, but the tools to create these deepfakes are easy to use and access — and already creating a problem in high schools.

Starting with VPN apps, certain categories on the Google Play store will now show a banner to help users find trustworthy apps.

Google says in a blog post that the banners will tell users about the “Independent security review” badge the company introduced last year, signifying apps that have undergone independent audits to verify they comply with the OWASP global security standard.

Bricklink is currently under maintenance, and Jay’s Brick Blog reports that it may be because of a suspected hacking or cybersecurity incident.

Bricklink’s maintenance message doesn’t make things sound great. “We are currently investigating some unusual activity, so it’s too early to speculate further. We will share more information once it’s available.”

We’ve reached out to a Bricklink customer support email to try and learn more.

In a Friday news dump blog post, Okta chief security officer David Bradbury revealed that a threat actor had access to files for 134 customers. Stolen session tokens from support logs were used to hijack sessions for 5 Okta customers, of which three have been publicly identified: 1Password (which first alerted Okta of the problem), BeyondTrust, and Cloudflare.

For a period of 14 days, while actively investigating, Okta did not identify suspicious downloads in our logs. When a user opens and views files attached to a support case, a specific log event type and ID is generated tied to that file. If a user instead navigates directly to the Files tab in the customer support system, as the threat actor did in this attack, they will instead generate an entirely different log event with a different record ID.

Not a great look for an identity management company that is supposed to prevent this exact problem.

On Monday night, NHL and NBA fans in Detroit, Minnesota, Milwaukee, Dallas, and other places covered by Bally Sports (which operates regional sports networks spun off in the big Fox / Disney deal), who subscribe just to watch their local teams got mostly error messages instead of games.

In a statement to the Detroit Free Press, Bally Sports SVP/GM Greg Hammaren blamed the outage on Okta and problems with its Auth0 platform.

Of course, it’s not Okta that still blacked out local access to the games via other platforms despite the outage.

BBC News reported that India’s opposition leaders received Apple threat notifications saying they’re “being targeted by state-sponsored attacks.” Apple says such notifications will provide steps for enabling its “extreme” Lockdown Mode.

Though it doesn’t identify the attackers, the leaders reportedly believe the source is the Indian government itself. BBC News says the government denies it.

“We’re so far from being a security minded company. Every time I hear about our head geeks talking about security I want to throw up,” said one unnamed SolarWinds employee to the SEC.

The lawsuit says that Texas-based SolarWinds and its chief information security officer Timothy Brown defrauded investors by knowingly misrepresenting SolarWinds’ cybersecurity weaknesses as Russia-linked hackers exploited the company’s Orion software to infiltrate hundreds of US government agencies and international businesses.