The business chat application, Slack, has been hacked. The data breach lasted about 3 days, during which hackers obtained access to usernames, email addresses and passwords. The company said a “very small number of Slack accounts” were affected, but no specific numbers were released. Since news of the hack, Slack has rolled out a new two-factor authentication feature.
Read more here.
CSO put together a list of the largest corporate data breaches in 2014. They used 1 million records exposed as the cutoff for companies to make the list. Included in the list are JPMorgan Chase, Nieman Marcus, Staples, Home Depot and the IRS.
View the list here on CSO Online.
Twitch, the world’s leading video platform and community for gamers, announced yesterday that they suffered a data breach.
Twitch posted a notice on their blog, alerting users that all passwords and stream keys have been expired:
“We are writing to let you know that there may have been unauthorized access to some Twitch user account information.
For your protection, we have expired passwords and stream keys and have disconnected accounts from Twitter and YouTube. As a result, you will be prompted to create a new password the next time you attempt to log into your Twitch account.
We also recommend that you change your password at any website where you use the same or a similar password. We will communicate directly with affected users with additional details.
They also sent out an email to all users that were potentially affected by the data breach:
“We are writing to let you know that there may have been unauthorized access to some of your Twitch user account information, including possibly your Twitch username and associated email address, your password (which was cryptographically protected), the last IP address you logged in from, and any of the following if you provided it to us: first and last name, phone number, address, and date of birth.
For your protection, we have expired your password and stream keys. In addition, if you had connected your account to Twitter or YouTube, we have terminated this connection.
You will be prompted to create a new password the next time you attempt to log into your Twitch account. If applicable, you will also need to re-connect your account to Twitter and YouTube, and re-authenticate through Facebook, once you change your password. We also recommend that you change your password at any other website where you use the same or a similar password.
We apologize for this inconvenience.
The Twitch Team”
Twitch is one of many companies who has been hacked recently due to weaknesses with usernames and passwords.
A new security vulnerability has been found in Facebook by bug hunter Laxman Muthiyah that exposes private photos, and it put millions of users potentially at risk. The bug was found in Facebook Photo Sync, a feature that automatically uploads every photo taken on your mobile device to your Facebook account, but marks them as private so only the user can see them. The vulnerability allows hackers access to these private photos by building a malicious application and then tricking victims into installing the app.
Read more here.
Premara Blue Cross has been the target of a sophisticated cyberattack where unauthorized access was gained to the Premera Blue Cross IT systems. A Premara spokesman confirmed that about 11 million individuals may be affected, and the data compromised may include Social Security Numbers and bank account information.
If you use Blue Cross insurance, we recommend contacting the phone number on the back of your insurance card to see if you were affected. If you were affected, you can take advantage of two years of free credit monitoring and identity protection services here.
On Sunday, Yahoo launched a new service called “on-demand” passwords, which lets someone log into a Yahoo account using a unique, one-time code that is delivered via text message. It’s basically two-factor authentication without the first step.
Sounds interesting, but it begs the question, how secure are on demand passwords?
The whole point of multi-factor authentication is that if one authentication factor is compromised, access is still protected with an additional authentication factor. If a password is compromised, then a one-time token (delivered via text or a time-based token) protects access. For example, if the smart phone that receives or generates the second authentication factor is lost or stolen, a third party has access to the 2nd factor, but still does not have access to the password (assuming it is not stored clear-text somewhere on the phone).
Password-less authentication is nothing more than traditional “2-factor” authentication minus the password, and if your phone is lost or stolen (or the sim card is stolen), then a hacker would have the ability to receive the Yahoo one-time password and access your Yahoo account.
Yahoo’s one-time password is nothing new, and is less secure than using a complex password in addition to a second authentication mechanism, such as a time-based token or SMS delivered one-time password. If my smartphone were ever lost or stolen, I would rather have the piece of mind that my accounts are protected by a unique and complex password AND a second authentication factor. My recommendation would be to keep your Yahoo password in place, use a password manager, ensure that your passwords meet complexity and length requirements, and always activate 2-factor authentication where available.
IBM has discovered a security flaw that can leave file storage accounts of mobile users open to hackers. The IBM researchers identified sloppy coding in Dropbox’s SDK Version 1.5.4 for Android that caused the vulnerability.
76% of the applications that link to Dropbox accounts using the Dropbox SDK are vulnerable, including other password managers. Keeper does not rely on any 3rd party storage providers and is not vulnerable to this flaw.
Read more here
During a Cybersecurity panel discussion on Tuesday with members of Homeland Security, the theme was not “if you get hacked”, it’s “when you get hacked.” Companies need to start thinking this way, no one is immune to cyber attacks and it’s critical to have cybersecurity prevention tools in place and a plan for when it happens. While most cybercrime issues are preventable, cybercrime affects everyone.
Read more here: http://www.bizjournals.com/boston/blog/techflash/2015/03/homeland-security-official-your-company-might-get.html
Google’s expert team of hackers at Project Zero have discovered a serious flaw in modern DRAM devices. The flaw encourages computer vendors to cough up more information about hardware flaws, and is exploitable on x86 laptops. Google is encouraging vendors to release information about affected devices so that researchers and further evaluate the rowhammer problem.
Read more here: http://www.zdnet.com/article/rowhammer-dram-flaw-could-be-widespread-says-google/
Apple’s latest iOS release includes a fix for the FREAK exploit, which allows hackers to attack encrypted networks, including Secure Sockets Layer (SSL) and Transport Layer Security (TLS) connections. Most iPhones and iPads were affected by the bug.
Read more here: http://www.zdnet.com/article/apple-fixes-freak-security-flaw-with-ios-8-2-update/