Tag: Privacy

Data of 2.4 million Blur password manager users left exposed online

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, has revealed a data breach impacting nearly 2.4 million Blur users. The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users.

The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog.

Read more about the massive Blur data leak on ZDNet.

Vietnam’s Draconian Cybersecurity Bill Comes Into Effect

A law requiring internet companies in Vietnam to remove content communist authorities deem to be against the state came into effect Tuesday, in a move critics called “a totalitarian model of information control”. The new cybersecurity law has received sharp criticism from the US, the EU and internet freedom advocates who say it mimics China’s repressive censorship of the internet.

The law requires internet companies to remove content the government regards as “toxic”. Tech giants such as Facebook and Google will also have to hand over user data if asked by the government, and open representative offices in Vietnam.

Read more about Vietnam’s new cybersecurity law on SecurityWeek.

How Facebooks Tracks Non-Users via Android Apps

If you quit Facebook or never joined because of its data collecting practices the odds are good the social network is still tracking you – despite your protest.

Facebook collects data of non-users of its social network via dozens of mainstream Android apps that send tracking and personal information back to the social network. Some of the dozens of apps sharing data with Facebook include KayakYelp and Shazam, according a report presented by Privacy International at 35C3. “Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” according to the report.

Read more about the findings of the report on Threatpost.

Amazon Slip-Up Shows How Much Alexa Really Knows

Your worst fears about home assistants came true for one Amazon customer whose Alexa recordings were accidentally sent to a complete stranger. Amazon failed to disclose the mistake, but don’t worry: The recipient learned enough about the Alexa owner to reach out.

It started when a German Amazon customer requested his Amazon-owned data under the General Data Protection Regulation (GDPR). The company sent a downloadable 100-Mb zip file. In addition to the person’s Amazon searches, the file contained hundreds of .wav files and transcripts of voice commands recorded by Alexa. The person had never owned an Alexa, so he reported the issue to Amazon, which did not respond but killed the download link.

Read more about this disturbing story on DarkReading.

Personal Details of 120 Million Brazilians Exposed

In March 2018, researchers at InfoArmor discovered (PDF) an exposed database that contained extensive personal data for 120 million Brazilians. This comprised a unique identity number (the Cadastro de Pessoas FÌsicas, or CPF) that is issued by the Brazilian Federal Reserve to Brazilian citizens and tax-paying resident aliens.

To put this in perspective, the total population of Brazil last year stood at 210 million, with an electorate of just over 147 million. Because it took many weeks for the flaw to be fixed, InfoArmor warns “it is very likely sophisticated adversaries harvested this information.

Read more about this story on SecurityWeek.

Australia passes controversial anti-encryption law that could weaken privacy globally

The Australian government has passed new legislation that would allow law enforcement authorities to force tech companies to hand over user information, even if it’s protected by end-to-end encryption.

The Assistance and Access Bill 2018 has been criticized by Apple as well as other technology companies and academics who argue that the legislation will weaken the data security of all Australians, with a reach that could jeopardize the data of companies, citizens, and societies around the world.

Read more about the controversial Australian law on The Verge.

‘Good for the world’? Facebook emails reveal what really drives the site

The central mythos of Facebook is that what’s good for Facebook is good for the world. More sharing, more friends and more connection will “make the world more open and connected” and “bring the world closer together”, Mark Zuckerberg has argued, even as his company has been engulfed by scandal.

But confidential emails, released by the British Parliament, reveal the hardheaded business calculations that lurked beneath the feel-good image projected by Zuckerberg and Facebook. “That may be good for the world, but it’s not good for us,” Zuckerberg wrote in a 2012 email about the possibility that developers would build applications that used data about Facebook users and their friends, but not provide any data back to Facebook.

Read more about this developing story on The Guardian.

SKY Brasil Exposes 32 Million Customer Records

Data belonging to 32 million customers of SKY Brasil has been exposed online long enough to make their theft very likely, an independent security researcher discovered. Fábio Castro found that the data cache could be reached by anyone that knew where to look on the internet. Using the Shodan search engine, he was able to discover multiple servers in Brazil running Elasticsearch that made information available without authentication.

A cluster of servers called “digital-logs-prd” attracted the researcher’s attention and with a simple command, he listed the indices available, one of them 429.1GB in size. The file included personally identifiable information of SKY Brasil customers, which featured full name, email address, service login password, client IP address, payment methods, phone number, and street address.

Read more about this massive data leak on BleepingComputer.

Data about 57 million people exposed by Elasticsearch servers

A data breach involving Elasticsearch search-engine technology exposed the personal information of nearly 57 million people for at least two weeks, according to report by the cybersecurity organization Hacken.

The breach exposed 73 gigabytes of data as early as Nov. 14, Hacken said, including the names, employers, job titles, emails, addresses, phone numbers and IP addresses of 56,934,021 U.S. residents. There was a separate cache of data titled “Yellow Pages,” the report said, with 25 million records about businesses, including information such as names, company details, zip addresses, latitude/longitude, census tract, phone numbers, web addresses, emails, revenue numbers and more.

Read more about the massive data breach on CyberScoop.

European consumer groups want regulators to act against Google tracking

Consumer agencies in the Netherlands, Poland and five other European Union countries asked privacy regulators to take action against Google for allegedly tracking the movements of millions of users in breach of the bloc’s new privacy law.

Google is already facing a lawsuit in the United States for allegedly tracking phone users regardless of privacy settings. The consumer groups, which included those in the Czech Republic, Greece, Norway, Slovenia and Sweden, filed complaints with their respective national data protection authorities, based on research by their Norwegian counterpart.

Read more about the complaints that could result in astronomical fines for Google under the General Data Protection Regulation (GDPR) on Reuters.