Ubiquiti, one of the biggest sellers of networking gear, including routers, webcams and mesh networks, has alerted its customers to a data breach.
In a short email to customers on Monday, the tech company said it became aware of unauthorized access to its systems hosted by a third-party cloud provider. Ubiquiti didn’t name the cloud company, when the breach happened or what caused the security incident. A company spokesperson did not respond to requests for comment.
But the company confirmed that it “cannot be certain” that customer data had not been exposed.
“This data may include your name, email address, and the one-way encrypted password to your account,” said the email to customers. “The data may also include your address and phone number if you have provided that to us.”
Although the email says passwords are scrambled, the company says users should update their passwords and also enable two-factor authentication, which makes it harder for hackers from taking the stolen passwords and using them to break into accounts.
Ubiquiti account users can remotely access and manage their routers and devices from the web.
The networking company quickly followed its email with a post on its community pages confirming that the email was authentic, after several complained that the email sent to customers included typos.
TaskRabbit has reset an unknown number of customer passwords after confirming it detected “suspicious activity” on its network.
The IKEA -owned online marketplace for on-demand labor said it reset user passwords out of an abundance of caution and that it “took steps to prevent access to any user accounts,” a TaskRabbit spokesperson told TechCrunch.
The company later confirmed it was a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are matched against different websites to access accounts.
“We acted in an abundance of caution and reset passwords for many TaskRabbit accounts, including all users who had not logged in since May 1, 2020, as well as all users who logged in during the time period of the attack, even though most of the latter activity was attributable to users’ regular use of our services,” the spokesperson said.
“As always, the safety and security of the TaskRabbit community is our priority, and we will continue to be vigilant about protecting our users’ personal information,” said the spokesperson.
TaskRabbit customers were alerted to the incident in a vague email that only noted their password had been recently changed “as a security precaution,” without saying what specifically prompted the account change. TechCrunch confirmed that the email was legitimate.
The password reset email sent to TaskRabbit customers. (Image: Sarah Perez/TechCrunch)
It’s not uncommon for companies to reset passwords after a security incident where customer or account information is accessed or stolen in a breach.
Last year, online apparel marketplace StockX reset customer passwords after initially citing “system updates,” but later admitted it took action after it found suspicious activity on its network. Days later, a hacker provided TechCrunch with 6.8 million StockX account records stolen from the company’s servers.
TaskRabbit’s freelance labor marketplace was founded in 2008, and grew over time from an auction-style platform for negotiating tasks and errands to a more mature and tailored marketplace to match customers with contractors. That eventually attracted the attention of furniture retailer IKEA, which bought the startup in September 2017 after TaskRabbit put itself on the market for a strategic buyer.
The year after the acquisition, however, TaskRabbit had to take its website and app down due to a “cybersecurity incident.” The company later revealed an attacker had gained unauthorized access to its systems. Then-TaskRabbit CEO Stacy Brown-Philpot said the company had contracted with an outside forensics team to identify what customer information had been compromised by the attack, and urged both users and providers to stay vigilant in monitoring their own accounts for suspicious activity.
Following the attack, the company said it was implementing several new security measures and would work on making the log-in process more secure. It also said it would reduce the amount of data retained about taskers and customers as well as “enhance overall network cyber threat detection technology.”
Updated with additional comment from TaskRabbit.
NTreatment, a technology company that manages electronic health and patient records for doctors and psychiatrists, left thousands of sensitive health records exposed to the internet because one of its cloud servers wasn’t protected with a password.
The cloud storage server server was hosted on Microsoft Azure and contained 109,000 files, a large portion of which contained lab test results from third-party providers like LabCorp, medical records, doctor’s notes, insurance claims, and other sensitive health data for patients across the U.S., a class of data considered protected health information under the Health Insurance Portability and Accountability Act (HIPAA). Running afoul of HIPAA can result in steep fines.
None of the data was encrypted, and nearly all of the sensitive files were viewable in the browser. Some of the medical records belonged to children.
TechCrunch found the exposed data as part of a separate investigation. It wasn’t initially clear who owned the storage server, but many of the electronic health records that TechCrunch reviewed in an effort to trace the source of the data spillage were tied to doctors and psychiatrists and healthcare workers working at hospitals or networks known to use nTreatment. The storage server also contained some internal company documents, including a non-disclosure agreement with a major prescriptions provider.
The data was secured on Monday after TechCrunch contacted the company. In an email, NTreatment co-founder Gregory Katz said the server was “used as a general purpose storage,” but did not say how long the server was exposed.
Katz said the company would notify affected providers and regulators of the incident.
It’s the latest in a series of incidents involving the exposure of medical data. Earlier this year we found a bug in LabCorp’s website that exposed thousands of lab results, and reported on the vast amounts of medical imaging floating around the web.
Go SMS Pro, one of the most popular messaging apps for Android, is exposing photos, videos and other files sent privately by its users. Worse, the app maker has done nothing to fix the bug.
Security researchers at Trustwave discovered the flaw in August and contacted the app maker with a 90-day deadline to fix the issue, as is standard practice in vulnerability disclosure to allow enough time for a fix. But after the deadline elapsed without hearing back, the researchers went public.
Trustwave shared their findings with TechCrunch this week.
When a Go SMS Pro user sends a photo, video or other file to someone who doesn’t have the app installed, the app uploads the file to its servers, and lets the user share a web address by text message so the recipient can see the file without installing the app. But the researchers found that these web addresses were sequential. In fact, any time a file was shared — even between app users — a web address would be generated regardless. That meant anyone who knew about the predictable web address could have cycled through millions of different web addresses to users’ files.
Go SMS Pro has more than 100 million installs, according to its listing in Google Play.
TechCrunch verified the researcher’s findings. In viewing just a few dozen links, we found a person’s phone number, a screenshot of a bank transfer, an order confirmation including someone’s home address, an arrest record, and far more explicit photos than we were expecting, to be quite honest.
Karl Sigler, senior security research manager at Trustwave, said while it wasn’t possible to target any specific user, any file sent using the app is vulnerable to public access. “An attacker can create scripts that could throw a wide net across all the media files stored in the cloud instance,” he said.
We had about as much luck getting a response from the app maker as the researchers. TechCrunch emailed two email addresses associated with the app. One email immediately bounced back saying the email couldn’t be delivered due to a full inbox. The other email was opened, according to our email open tracker, but a follow-up email was not.
Since you might now want a messaging app that protects your privacy, we have you covered.
WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.
Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.
Here’s what we know.
WildWorks said in a detailed statement that a hacker stole 46 million Animal Jam records in early October but that it only learned of the breach in November.
The company said someone broke into one of its systems that the company uses for employees to communicate with each other, and accessed a secret key that allowed the hacker to break into the company’s user database. The bad news is that the stolen data is known to be circulating on at least one cybercrime forum, WildWorks said, meaning that malicious hackers may use (or be using) the stolen information.
The stolen data dates back to over the past 10 years, the company said, so former users may still be affected.
Much of the stolen data wasn’t highly sensitive, but the company warned that 32 million of those stolen records had the player’s username, 23.9 million records had the player’s gender, 14.8 million records contained the player’s birth year and 5.7 million records had the player’s full date of birth.
But, the company did say that the hacker also took 7 million parent email addresses used to manage their kids’ accounts. It also said that 12,653 parent accounts had a parent’s full name and billing address, and 16,131 parent accounts had a parent’s name but no billing address.
Besides the billing address, the company said no other billing data — such as financial information — was stolen.
WildWorks also said that the hacker stole players’ passwords, prompting the company to reset every player’s password. (If you can’t log in, that’s probably why. Check your email for a link to reset your password.) WildWorks didn’t say how it scrambled passwords, which leaves open the possibility that they could be unscrambled and potentially used to break into other accounts that have the same password as used on Animal Jam. That’s why it’s so important to use unique passwords for each site or service you use, and use a password manager to store your passwords safely.
The company said it was sharing information about the breach with the FBI and other law enforcement agencies.
So what can parents do?
Capcom, the Japanese game maker behind the “Resident Evil” and “Street Fighter” franchises, has confirmed that hackers stole customer data and files from its internal network following a ransomware attack earlier in the month.
That’s an about-turn from the days immediately following the cyberattack, in which Capcom said it had no evidence that customer data had been accessed.
In a statement, the company said data on as many as 350,000 customers may have been stolen, including names, addresses, phone numbers and, in some cases, dates of birth. Capcom said the hackers also stole its own internal financial data and human resources files on current and former employees, which included names, addresses, dates of birth and photos. The attackers also took “confidential corporate information,” the company said, including documents on business partners, sales and development.
Capcom said that no credit card information was taken, as payments are handled by a third-party company.
But the company warned that the overall amount of data stolen “cannot specifically be ascertained” due to losing its own internal logs in the cyberattack.
Capcom apologized for the breach. “Capcom offers its sincerest apologies for any complications and concerns that this may bring to its potentially impacted customers as well as to its many stakeholders,” the statement read.
The video games maker was hit by the Ragnar Locker ransomware on November 2, prompting the company to shut down its network. Ragnar Locker is a data-stealing ransomware, which exfiltrates data from a victim before encrypting its network, and then threatens to publish the stolen files unless a ransom is paid. In doing so, ransomware groups can still demand a company pays the ransom even if the victim restores their files and systems from backups.
Ragnar Locker’s website now lists data allegedly stolen from Capcom, with a message implying that the company did not pay the ransom.
Capcom said it had informed data protection regulators in Japan and the United Kingdom, as required under European GDPR data breach notification rules. Companies can be fined up to 4% of their annual revenue for falling foul of GDPR rules.
European data protection regulators have inched toward an enforcement decision for a Twitter breach that the company publicly disclosed in 2019, after a majority of EU data supervisors agreed to back a draft settlement submitted earlier by Ireland’s Data Protection Commission (DPC).
Twitter disclosed the bug in its ‘Protect your tweets’ feature at the start of last year — saying at the time that some Android users who’d applied its setting to make their tweets non-public may have had their data exposed to the public Internet since as far back as 2014.
A new data protection came into force in the European Union in May 2018 — meaning the 2014-2019 breach falls under the EU’s General Data Protection Regulation (GDPR).
Ireland’s DPC is the lead supervisor authority in the case but the cross-border nature of Twitter’s business means all EU data protection agencies have an interest and the ability to make “relevant and reasoned” objections to the draft. Objections to the DPC’s draft decision were duly raised over the summer — triggering a dispute resolution process for cross-border cases set out in the GDPR.
The European Data Protection Board (EDPB), a body which helps coordinate pan-EU regulatory activity, said today it has adopted its first Article 65 decision — referring to the mechanism for settling disagreement between the EU’s patchwork of data supervisors. This means that at least a two-thirds majority of the EU DPAs have backed the settlement.
“On 9 November 2020, the EDPB adopted its binding decision and will shortly notify it formally to the Irish SA,” it wrote in a statement.
Ireland’s deputy commissioner, Graham Doyle, confirmed the EDPB has informed it of an Article 65 decision — but declined to comment further at this stage.
Ireland’s DPC now has up to a month to issue a final decision.
“The Irish SA [supervisory authority] shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision,” the EDPB statement adds.
Details of any penalties Twitter may face — such as a fine — have not yet been confirmed. But the end of the process is now in sight.
GDPR places a legal obligation on data controllers to adequately protect personal data and financial penalties for violations of the framework can scale up to 4% of a company’s annual global turnover. Although in the case of big tech the largest GDPR fine to date remains a $57M fine slapped on Google by France’s CNIL.
Unlike that Google case — which CNIL pursued ahead of Google moving its EU legal base to Ireland — the Twitter case is cross-border and will be the first such big tech GDPR case to be concluded once a final decision is out.
The EU’s flagship data protection regulation continues to face criticism over how long it’s taking for cases and complaints to be investigated and decisions issued — especially those related to big tech.
Last year the Irish regulator said its first cross-border GDPR decisions would be coming “early” in 2020. In the event its first one will arrive before the end of 2020 — but that’s a pace that’s unlikely to silence critics who argue EU regulators are not equipped for the complex, resource-intensive task of overseeing how big tech handles people’s data.
The Twitter breach case is likely to be considerably less complex than some of the complaint-based GDPR investigations ongoing into big tech platforms — which include probes around the legal bases for Facebook to process user data and how Google’s ad exchange is using Internet users’ data. Yet the EDPB still allowed for a full extra month to the Article 65 process (instead of the default one month) because of what it described as “the complexity of the subject matter”. That hardly bodes well for more contentious cases.
Still, going through dispute resolution over cross-border cases may lead to greater consistency and help DPAs pick up enforcement pace over time.
The UK’s ICO looks like a bit of a cautionary tale in this regard — having recently taken the clippers to massive preliminary fines it announced in a couple of (non-big tech GDPR) data breach cases, meaning enforcement ended up being both later and less stinging than it had first appeared.
Despite critics’ claims that GDPR enforcement continues to be lacking in places where it should be hard-hitting, the question of how to effectively regulate big tech is one that EU lawmakers aren’t backing away from.
On the contrary, the Commission is set to lay out a legislative proposal next month to apply ex ante rules to dominant Internet platforms as part of a planned Digital Markets Act. Under the plans, so-called ‘gatekeepers’ will to be subject to a list of ‘dos and don’ts’ that’s slated to include controls on how they can share data.
It could also could see a push to create a pan-EU regulator to oversee major platforms.
Such an approach could help to reduce the oversight burden facing a handful of EU DPAs with an outsized number of big tech giants on their books. But, again, there’s likely to be a long wait ahead before any new rules can be effectively enforced.
The election is over, but not without a hitch or two. Some voters in Georgia and Ohio had to use paper ballots after hand sanitizer leaked into voting machines — an unexpected casualty of the pandemic. And a slew of robocalls across a number of swing states urged voters to “stay safe and stay home,” in an effort to disenfranchise voters from going to the polls. With record voter turnout, there’s little evidence to show it worked.
But we saw nothing like the hack-and-leak operations like we did four years ago, which delivered an “October surprise” that derailed the election for Hillary Clinton, despite winning the popular vote by three million votes.
Government officials and cybersecurity firms said there were no significant or damaging cyberattacks during Election Day. One Homeland Security official called it “another Tuesday on the internet,” but conceded there was still cause for concern in the election aftermath.
With the bulk of the votes counted, government officials pointed to the threat of “foreign influence” campaigns — or misinformation — that would try to cast doubt on the election results. In reality, much of the false and misleading claims ended up coming from inside the White House as the Trump administration tried to cling onto power. After being caught out four years ago, the social media giants put into place measures and policies that limited the spread of false news — including Trump’s repeated attempts to claim victory.
Fears that the 2020 election could turn into a national, or even an international security matter did not come to fruition. The U.S. is in a better place than it was four years ago by simply learning the lessons from Russia’s efforts to interfere with the election. Imagine where we could be in another four?
Since you, like us, were glued to the television screens last week, here’s more from the week you might have missed.
Grayshift, the secretive startup behind the U.S. government’s favorite phone unlocking technology, has raised $47 million in fresh funding. The Series A round was led by PeakEquity Partners, and — as first reported by Forbes — is a huge round for a little-known phone forensics firm.
One of only a few photos of the mysterious GrayKey phone unlocking devices. Image Credits: Malwarebytes
Grayshift exploded onto the mobile forensics scene in 2018, months after the company began quietly selling its proprietary GrayKey technology to federal agencies for about $15,000 each. The FBI and other agencies use their purchased GrayKey devices to break into encrypted phones without needing the passcode.