AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/25/2023

LastPass owner GoTo says hackers stole customers’ backups 

LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems. The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident. 


PLAY ransomware group claims attack on Arnold Clark, one of Britain’s largest car dealerships 

Sensitive personal data allegedly stolen from Arnold Clark, one of the United Kingdom’s largest car dealerships, has been posted online by the PLAY ransomware group. The company had claimed in a Tweet on January 3 to have protected customer data after it discovered suspicious traffic on its network back in December, although it did not confirm the nature of the attack.  “Our priority has been to protect our customers’ data, our systems and our third-party partners,” the company stated, adding that “this has been achieved.” 


Bots Are Now Robocalling to Phish For Your Two-Factor Authentication (2FA) Codes 

The idea behind 2FA and OTP tokens is that even if a user’s password is breached or stolen, an attacker still cannot access the user’s account without the second factor to authenticate the login. That second factor is usually obtained from an authenticator app on the account holder’s mobile or desktop device. Recently, however, crooks and fraudsters have started using a phone phishing technique to make phone calls to their victims. It uses specialized bots sold on underground websites. The technique poses as a security verification call from the website or app that the potential victim uses. It tricks them into providing the actual OTP or 2FA code sent by the website or app. This occurs immediately after the fraudster logs in and attempts a purchase or financial transaction via that portal. 


If you want to use a security key with your Apple account, you’ll need two keys 

Apple just added support for security keys to secure your Apple ID with its latest iOS and macOS updates, but to actually set up your keys with your account, you’ll need to have at least two security keys on hand, according to an Apple support document (via MacRumors). While that might sound like a bit of an inconvenience, the requirement means that you’ll have a backup in the event that you lose your primary key and won’t be locked out of your account. It’s not an entirely unexpected ask; Google recommends using two security keys with its Advanced Protection Program for Google accounts, though the company only requires that you have one security key to enroll. Apple will let you enroll up to six keys to your account. 


DuoLingo investigating dark web post offering data from 2.6 million accounts 

Language learning platform DuoLingo said it is investigating a post on a hacking forum offering information on 2.6 million customer accounts for $1,500. A spokesperson for the company said they are aware of the post, which was created on Tuesday morning and offers emails, phone numbers, courses taken and other information on how customers use the platform. “These records were obtained by data scraping public profile information,” a spokesperson said. “No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.” In the post, the hacker said they obtained the information from scraping an exposed application programming interface (API) and provided a sample of data from 1,000 accounts.  


Appliance makers sad that 50% of customers won’t connect smart appliances 

Appliance makers like Whirlpool and LG just can’t understand. They added Wi-Fi antennae to their latest dishwashers, ovens, and refrigerators and built apps for them—and yet only 50 percent or fewer of their owners have connected them. What gives? The issue, according to manufacturers quoted in a Wall Street Journal report (subscription usually required), is that customers just don’t know all the things a manufacturer can do if users connect the device that spins their clothes or keeps their food cold—things like “providing manufacturers with data and insights about how customers are using their products” and allowing companies to “send over-the-air updates” and “sell relevant replacement parts or subscription services.” 

Related Posts