Search for:
Yahoo data breach is among the biggest in history

At least 500 million user accounts have been stolen from Yahoo, the company confirmed on Thursday.

The data breach is the largest from a single site in history, according to a database of other hacking incidents. In August, hackers were discovered trying to sell 200 million Yahoo accounts, which would have been the second-largest single breach.

Recode reported on Thursday morning that the company was poised to confirm the compromised data and that it was even worse than originally believed. The data, which was stolen in late 2014 by what the company called a “state-sponsored actor,” may include names, emails, telephone numbers, dates of birth, hashed passwords, and security questions and answers, but not financial information, according to the company.

Russian hackers pulled off what seems like a much bigger haul of 1.2 billion users in 2014, but that data was stolen from hundreds of thousands of sites and combined into a single collection.

Hutchinson Community Foundation suffers data breach

The Hutchinson Community Foundation is making donors, vendors and other stakeholders aware of a data breach that might have compromised personal and financial information.

Letters explaining the nature of the breach and the steps being taken to remedy the situation will be delivered to affected individuals this week, and donors and others with relationships with the Community Foundation are asked to be looking for this communication.

The breach came to the Community Foundation staff’s attention Sept. 19 when ransomware was discovered on the foundation’s network server. Ransomware encrypts files until a “ransom” is paid. Fortunately, the foundation’s IT service provider was able to restore all data from a backup and no ransom was paid; however, the security violation could have allowed hackers access to files and databases on the server.

“The Hutchinson Community Foundation’s network was well-protected with data backup, and while staff also had confidence it was secure, you never know at what remote point of vulnerability a resourceful hacker might gain access,” said John Montgomery, Hutchinson Community Foundation board chairman. “It goes to show that no one is immune, including our charitable institutions.”

To help relieve concerns and restore confidence following this incident, the Community Foundation is providing identity monitoring at no cost to affected parties. The letter details the services and how to use them and also provides a call center phone number as a resource.

“We pride ourselves in our relationships with donors, service providers and others in the philanthropic community. Confidentiality and discretion are at the core of our business ethic. Though the likelihood of identity theft to affected people may be small, we are offering these protections out of an abundance of caution,” said Aubrey Abbott Patterson, Hutchinson Community Foundation president & CEO.

“We encourage everyone who receives a letter from us to use the ID number provided to enroll in the identity monitoring services. We want our stakeholders to be assured we are taking action to safeguard them and to reinforce the security of our stored data from future cyber threats,” Patterson said.

Not all donor records stored in the Community Foundation’s database contained financial or other sensitive information. Because those donors are not thought to be at any risk, they will not receive a letter of notification.

Hackers Who Kicked Xbox and PlayStation Offline Are Selling Their Tools

Hackers Who Kicked Xbox and PlayStation Offline Are Selling Their Tools

Data that helped hackers access Sony’s internal network came from another group targeting the firm’s gaming network, reports the Washington Post. In an interview, a self-proclaimed Lizard Squad member said it had given stolen data to the Guardians of Peace.
Editor : David JACKMAN 

Lizard Squad, the group behind a cyber-attack that took Xbox Live and PlayStation Network down on Christmas day, are now offering the chance to do the same to anyone that will pay.

The attacks were apparently marketing for a tool called ‘Lizard Stresser’ — which is sold as a way of testing whether your own network could withstand a similar attack, but could just as easily be used to attack any other page.

Similar tools have been offered across the shadier parts of the website for years, but Lizard Squad’s tool is unique in the spectacular way it has been marketed — and, if the group are to be believed, its power.

Both the tool and Lizard Squad’s takedown of Xbox Live and PlayStation Network used a distributed denial of service attack — using a network of computers to flood servers with requests, leaving them unable to handle them and shutting them down.

A message on the introduction page says that the tool is “famous for taking down gaming networks such as Xbox Live, Playstation Network, Jagex, BattleNet, League of Legends, and many more!”

The tool’s terms of service stress that: “Permission is granted to stress test dedicated servers and networks owned by you. This is the oppurtunity to make your firewalls better, not to misuse against the law.”

The terms also make clear that attacking anyone attacking websites that are not their own is banned by the use license, along with using the tool for personal gain and profit.

The site bans the use of virtual private networks, a tool that can hide a users’ location, and so makes it hard to stay anonymous while using the tool.

The group is selling eight packages, which begin at $6 a month and go all the way up to $130 a month. Paying more allows customers to use the tool for longer, with options going all the way to eight hours.

Customers can only pay in Bitcoin, but the company has said that it will offer PayPal soon. It also said that it will be adding more options, tools and packages to the service.

Source: http://full-timewhistle.com/technology-22/hackers-who-kicked-xbox-and-playstation-offline-are-selling-their-tools-1392.html
Card Breach at Some Chick-fil-A’s

Banks: Card Breach at Some Chick-fil-A’s

Sources at several U.S. financial institutions say they have traced a pattern of credit card fraud back to accounts that all were used at different Chick-fil-A fast food restaurants around the country. Chick-fil-A told KrebsOnSecurity that it has received similar reports and is working with IT security firms and law enforcement in an ongoing investigation.

Photo: Robert Du Bois

KrebsOnSecurity first began hearing from banks about possible compromised payment systems at Chick-fil-A establishments in November, but the reports were spotty at best. Then, just before Christmas, one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014.

One financial institution that received that alert said the bank had nearly 9,000 customer cards listed in that alert, and that the only common point-of-purchase were Chick-fil-A locations.

“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” the banking source said, speaking on condition of anonymity.

The source said his institution saw Chick-fil-A locations across the country impacted, but that the bulk of the fraud seemed concentrated at locations in Georgia, Maryland, Pennsylvania, Texas and Virginia.

Reached for comment about the findings, Chick-fil-A issued the following statement:

“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants.  We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”

“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.  If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card.  If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”

My suspicion is that — if confirmed — this breach will be found to have impacted only a subset of Chick-fil-A’s 1,850 locations in 41 states and the District of Columbia. In that respect, it would be much like the breaches first reported in this blog earlier this year at other fast food chains —  Dairy Queen and Jimmy Johns. In both of those breaches, the stores impacted were franchises that outsourced the management of their point-of-sale systems to specific third party companies.

In September, KrebsOnSecurity reported that a different hacked point-of-sale provider was the driver behind a breach that impacted more than 330 Goodwill locations nationwide. That breach, which targeted payment vendor C&K Systems Inc., persisted for 18 months, and involved two other as-yet unnamed C&K customers.

In all of these incidents, the intruders managed to install malicious software on point-of-sale systems at the affected merchants. Point-of-sale malware, like the malware that hit C&K as well as Target, Home Depot, Neiman Marcus and other retailers this past year, is designed to steal the data encoded onto the magnetic stripe on the backs of debit and credit cards. This data can be used to create counterfeit cards, which are then typically used to purchase physical goods at big-box retailers.

Point-of-sale compromises have come to define 2014. Earlier this year, the U.S. Secret Service issued an advisory that a point-of-sale malware strain known as “Backoff” had struck more than 1,000 U.S. companies since Oct. 2013.

Companies that suffer credit card breaches offer credit monitoring services as a means of placating nervous customers, but bear in mind that credit monitoring services do nothing to prevent fraud on existing accounts (such as credit cards you may have in your wallet). There is no substitute for monitoring your monthly bank and credit card statements for unauthorized or suspicious transactions.

If, on the other hand, you’re looking for more information on credit monitoring services, or for tips about how to protect yourself and loved ones from identity thieves, please check out this article.

 Source: https://krebsonsecurity.com/2014/12/banks-card-breach-at-some-chick-fil-as/