AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 05/27/2022

Vehicle owner data exposed in GM credential-stuffing attack

Automaker General Motors has confirmed the credential stuffing attack it suffered last month exposed customers’ names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts. Other more personal information, including social security and credit card and bank account numbers, as well as drivers license data are not stored in customers’ GM accounts and were not laid bare, GM officials said in a letter [PDF] sent to customers this month. According to the letter, in the 18 days between April 11 and April 29, the company detected suspicious logins to some GM online customer accounts, finding that threat actors had redeemed customer reward points for gift cards. Through a GM online platform, owners of cars brands including Chevrolet and Buick can manage their payments and services while building up and redeeming reward points.


Exposed: the threat actors who are poisoning Facebook

An investigation of the infamous “Is That You?” video scam has led Cybernews researchers to a cybercriminal stronghold, from which threat actors have been infecting the social media giant with thousands of malicious links every day. At least five suspects, thought to be residing in the Dominican Republic, have been identified. One of the suspects that Raney identified is likely the same threat actor that the Cybernews research team was able to name in February 2021. Back then, we sent the relevant information to the Cyber Emergency Response Team (CERT) in the Dominican Republic, as evidence suggested that the campaign was also launched from there. At the time of writing, all relevant information has been handed over to the authorities pending further investigation.


Hacker Steals Database of Hundreds of Verizon Employees

A hacker has obtained a database that includes the full name, email address, corporate ID numbers, and phone number of hundreds of Verizon employees. It’s unclear if all the data is accurate or up to date. Motherboard was able to confirm that at least some of the data is legitimate by calling phone numbers in the database. Four people confirmed their full names and email addresses, and said they work at Verizon. Another one confirmed the data, and said she used to work at the company. Around a dozen other numbers returned voicemails that included the names in the database, suggesting those are also accurate. 


Twitter pays $150M fine for using two-factor login details to target ads

Twitter has agreed to pay a $150 million penalty for targeting ads at users with phone numbers and email addresses collected from those users when they enabled two-factor authentication. Twitter agreed to the fine and “robust compliance measures to protect users’ data privacy” to settle a lawsuit filed on Wednesday by the US government. “As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” Federal Trade Commission Chair Lina Khan said. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”


Duck, duck… no: “anonymous” browser sharing user data with Microsoft, research confirms

“The new DuckDuckGo browsers for iOS/Android don’t block Microsoft data flows, for LinkedIn or Bing,” posted Zach Edwards, of Victory Medium, who tested both iOS and Android versions of DDG and found that “neither blocked data transfers to Microsoft’s Linkedin and Bing ads while viewing Facebook’s workplace.com homepage.” He added: “If you download the current version of the browser for iOS/Android, and hope this stops data transfers to super-common advertising subsidiaries owned by a company like Microsoft, too bad – the browser has a secret allow data flow list.” Edwards said this was despite DDG’s claims that its browser tool “automatically blocks hidden third-party trackers.”


Proton Is Trying to Become Google—Without Your Data

SINCE ITS FOUNDING in 2014, ProtonMail has become synonymous with user-friendly encrypted email. Now the company is trying to be synonymous with a whole lot more. On Wednesday morning, it announced that it’s changing its name to, simply, Proton—a nod at its broader ambitions within the universe of online privacy. The company will now offer an “ecosystem” of linked products, all accessed via one paid subscription. Proton subscribers will have access not just to encrypted email, but also an encrypted calendar, file storage platform, and VPN. This is all part of CEO Andy Yen’s master plan to give Proton something close to a fighting chance against tech giants like Google. A Taiwanese-born former particle physicist, Yen moved to Geneva, Switzerland, after grad school to work at CERN, the nuclear research facility.

Related Posts