A huge database of Facebook users phone numbers found online

Hundreds of millions of phone numbers linked to Facebook accounts have been found online. The exposed server contained more than 419 million records over several databases on users across geographies, including 133 million records on U.S.-based Facebook users, 18 million records of users in the U.K., and another with more than 50 million records on users in Vietnam. But because the server wasn’t protected with a password, anyone could find and access the database. Each record contained a user’s unique Facebook ID and the phone number listed on the account. A user’s Facebook ID is typically a long, unique and public number associated with their account, which can be easily used to discern an account’s username. But phone numbers have …

New York’s Revenge Porn Law Is a Flawed Step Forward

Governor Andrew Cuomo signed a bill into law this week criminalizing the spread of nonconsensual pornography, making New York the forty-sixth state to implement such protections for its residents. Unlike many “revenge porn” laws before it, New York’s version includes private right of action in addition to criminal penalties, allowing victims take additional steps like suing the perpetrator for money, or demanding that a website take down their illegally shared images. It’s undoubtedly progress—but also an object lesson in how US legislators fail to fully understand the problem they’re trying to solve. Sharing another person’s private nude images online is now a Class A misdemeanor in New York. Victims will also be able to obtain an order of protection, and …

Security News This Week: Browser Extensions Scraped Data From Millions of People

Europeans had to navigate by the stars this week—well, GPS, but still—after the continent's burgeoning Galileo satellite navigation network went dark for a full seven days. The incident is a warning for everyone of how fallible the infrastructure of our modern lives really is. In more uplifting news, security researchers made an app designed to kill, to prove a point about the intense risks of internet-connect health devices, and the need for the companies who make them to stop ignoring them. (Wait, sorry, murder apps are not uplifting.) We explained how to clear out your zombie apps and online accounts, and why Microsoft’s very serious BlueKeep bug hasn’t wreaked havoc on the Windows devices of the world, yet. Oh, and …

The Biggest Cybersecurity Crises of 2019 So Far

Six months of 2019 are on the books already, and certainly there have been six months' worth of data breaches, supply chain manipulations, state-backed hacking campaigns, and harbingers of cyberwar to show for it. But the hallmark of 2019, perhaps, is feeling like the worst is yet to come. Ransomware is an ever-growing threat, corporate and US government security is still a mess, and geopolitical tensions are rising worldwide. Before we see what the future holds, though, let's recap some of the major cybersecurity incidents that have cropped up so far this year. US Customs and Border Protection Contractor Perceptics In May, a surveillance contractor for Customs and Border Protection suffered a breach and hackers stole photos of travelers and …

Ransomware Hits Georgia Courts as Municipal Attacks Spread

Ransomware has no shortage of cautionary tales and wakeup calls from the past decade. But for local governments, this past year has been a particularly brutal reminder of the threat. Following a 2018 attack that paralyzed the City of Atlanta for weeks, more than half a dozen cities and public services across the country have fallen to ransomware so far in 2019, on a near-monthly basis; the Administrative Office of the Georgia Courts became the latest victim on Saturday, when an attack knocked its systems offline. The string of attacks on municipalities may seem like a new pattern. But it’s unclear how many of them, if any, were perpetrated by the same actors. And law enforcement officials emphasize that the …

The Drone Iran Shot Down Was a $220M Surveillance Monster

Early Thursday morning, Iran shot down a United States unmanned aerial vehicle over the Strait of Hormuz, which runs between the Persian Gulf and the Gulf of Oman. Iran identified the drone as an RQ-4A Global Hawk, a $220 million UAV that acts as a massive surveillance platform in the sky. The attack marks an escalation with tensions already running high between the US and Iran—particularly because of the value and technical sensitivity of the downed drone. Iran's Islamic Revolutionary Guard Corps said on Thursday that the Northrup Grumman-made Global Hawk—part of a multibillion-dollar program that dates back to 2001—had entered Iranian airspace and crashed in Iranian waters; US Central Command confirmed the time and general location of the attack, …

A Push to Protect Political Campaigns from Hackers Hits a Snag

Campaign finance laws prohibit businesses and even many nonprofits from directly contributing to political campaigns. They can’t even send pizza. Now, the United States Federal Election Commission may apply the same laws to block a cybersecurity firm from offering free or low-cost defense services to campaigns, at a time when those protections are badly needed. During the 2016 US presidential election, Russian hackers not only threatened election networks and voting systems, but wreaked havoc by targeting campaigns and political parties, particularly the Democratic National Committee, and leaking troves of sensitive data. The events showed the importance of implementing defenses against hacks like phishing, network intrusions, and denial of service attacks for even the most transient campaign efforts. But all long-running …

Hack Brief: 885 Million Sensitive Financial Records Exposed Online

After a solid decade of nonstop corporate data breaches and exposures, you'd think large organizations would have at least fixed the most basic and obviously damaging types of data mishandling. But there's clearly still a long way to go. On Friday, independent security journalist Brian Krebs revealed that the real estate and title insurance giant First American had 885 million sensitive customer financial records, going back to 2003, exposed on its website for anyone to access. And while there isn't currently evidence that anyone actually found and stole the information, it was so easy to grab—and so obviously valuable to scammers—that it's hard to rule out that possibility. The Hack Krebs reports that the exposed records included Social Security numbers, …

After breach, Stack Overflow says some user data exposed

After disclosing a breach earlier this week, Stack Overflow has confirmed some user data was accessed. In case you missed it, the developer knowledge sharing site confirmed Thursday a breach of its systems last weekend, resulting in unauthorized access to production systems — the front-facing servers that actively power the site. The company gave few details, except that customer data was unaffected by the breach. Now the company said the intrusion on the website began about a week earlier and “a very small number” of users had some data exposed. “The intrusion originated on May 5 when a build deployed to the development tier for stackoverflow.com contained a bug, which allowed an attacker to log in to our development tier …

Microsofts First Windows XP Patch in Years Is a Very Bad Sign

This week, Microsoft issued patches for 79 flaws across its platforms and products. One of them merits particular attention: a bug so bad that Microsoft released a fix for it on Windows XP, an operating system it officially abandoned five years ago. There’s maybe no better sign of a vulnerability’s severity; the last time Microsoft bothered to make a Windows XP fix publicly available was a little over two years ago, in the months before the WannaCry ransomware attack swept the globe. This week’s vulnerability has similarly devastating implications. In fact, Microsoft itself has drawn a direct parallel. “Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry …