Interesting
1.4 billion could be interesting to see who got dinged. It looks like ye olde password manager will be getting a workout tomorrow.
Are they all from one source?
“Data breach hunter” Chris Vickery has claimed that he will shortly reveal a “1.4 billion identity leak”. 1.4 billion identity leak story incoming Monday morning. Thanks go to @SteveD3 (and someone else) for cooperating on investigation. — Chris Vickery (@VickerySec) March 3, 2017 He later offered a teaser of the leak, …
How many of them will be accurate?
When I register for public wifi, they get [randomletters]@theirdomain as the email address, and more random letters for my name. If they want an address, they get the address of the council dump. They may as well send the junk mail directly there rather than me directing it there via the bin.
it could well be Aadhaar. In fact I hope it is -- better it happens now, when it has not yet taken root in all sorts of unrelated life (seriously, they want to make it mandatory for even buying TRAIN tickets online!) than a few years later, when the damage would be much much worse.
And the sooner the morons in charge realise this is a bloody landmine (or gold mine, depending on how you look at it), the better.
The security crowd has been screaming about "identification, not authentication" (or the less accurate but more understandable "biometrics are a userid, not a password") but no one has been listening.
Now they have (or will shortly have) an app that can draw money from your bank account with just that one factor -- a finger swipe. I'm advising friends and relations who have an Aadhaar linked bank account to keep only a minimum of money there, and put the rest in a completely different account -- preferably in a different bank -- without Aadhaar linkage. The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.
(Oh and I've also been told that the biometrics are safe and can't be faked; words like "liveness testing" have been bandied about. To which my response is "that's today's tech. It's an arms race and tomorrow the scene may be quite different, someone may figure out how to beat it".)
Governments have very little shame; the fear of ridicule is often an "individual" thing, not a collective thing.
Also, looking at the statement linked in the article, except a couple of points, the rest seem to be hinging on *regulatory* protections, (as opposed to, say, *technical* protections). This is akin to saying "murder is a crime". Sure it is, but it still happens, and it's not always caught either.
You forget the stigma attached to 'losing face' in many societies.
In Japan people in the past have been known to take their own life to avoid this sort of thing.
In India people do not question orders given to them by their superiors even if they are clearly stupid.
The do this for fear of looking weak to their peers.
It will be interesting to see the data (or a snippet of it).
Then we need to keep an eye on who is being escorted from what buildings by the Polis.
SteveD3 has confirmed it is not the Indian DB.
The sad part is that the lowest strata just don't have enough money to do this kind of thing, and they're the most at risk from a mass biometrics leak and misuse.
Well, they certainly don't have the money after the Indian government "demonetised" the 1000 and 500 rupee notes, in perhaps the most blatant act of confiscation by any (nominally) democratic government.
Although it does at least mean that being robbed is socially inclusive in India: Rich or poor, cash or digital, your money belongs to somebody else.
I'll correct that: Vickery, of controversial MacOS security software house MacKeeper. Don't install MacKeeper, kids. You don't need it. Do some research first. And especially avoid all the popups begging you to install it when you browse certain 'free' porn site collectives.
Precisely. Please research a little about your sources for stories before publishing. MacKeeper is considered Malware by everyone I've heard or read on the subject in the Mac consulting community. See, for instance: https://www.consumeraffairs.com/news/lawsuit-challenges-mackeepers-clean-computer-claims-012114.html .
On the one hand, I don't want it to be Facebook or any of the big names, because that's a lot of innocent users affected...
On the other hand, I want it to be Facebook or any of the big names, because that's a lot of ignorant1 people who might learn a lesson.
1. Come on. I'll bet most of us reading this site know people who we endlessly try to convince they need more than just a single password across every website going, but who steadfastly refuse to listen. Not to mention the amount of data that's given to these sites unnecessarily.
"Aww shit. I typed NAS by mistake and accidently sent a copy of the database to someones cloudy Dropbox account instead."
Looks like I was right. According to the Mackeeper and CSO articles:
"I stumbled upon a suspicious, yet publicly exposed, collection of files. Someone had forgotten to put a password on this repository "
&
"accidentally exposed their entire operation to the public after failing to properly configure their Rsync backups."
Like I suggested - someone exporting a database and then sending it elsewhere without relevant protection to stop it from being easily read.
That's from the Twitter account of the person he's working with. That make me think of a large disaster relief provider like the International Red Cross. From the screenshot it's a MySQL database so you know, "free".
Rivers contain water, Amazon is a river,..
"Food", though. Hrrrrrm. They do sell groceries online but surely they haven't 10^9 customers for that.
But then no food brand has a billion (registered) customers, either. McDonalds or KFC might concievably have that many customers but not registered. My guess is the "food and drink" clue is cryptic, like a crossword clue. "food" / "drink", in quotes...
DAMN! this is annoying me! Oh wel,l only 20 mins to go...
But then no food brand has a billion (registered) customers, either. McDonalds or KFC might concievably have that many customers but not registered.
They might conceivably have that many customers, but I don't think that by any stretch of the imagination I'd consider them to be food
Tesco Clubcard. Its been going since the 90's and I know from when i worked for them, their windows network was horribly insecure. The Board of Directors would not be best pleased to know the truth, as they recently found out when their banking division was hacked.
"The only other nation with the potential for a database to contain 1.37bn identities is"
...every single one on the planet. For some reason the article is making the assumption that nations only ever hold details on their own citizens. Even ignoring all the spying that pretty much all countries get up to, every country with border controls (ie. all of them) has an entirely legitimate reason to hold information on people from anywhere in the world. Plus there are all kinds of legitimate data-sharing going on with the likes of patents, policing, and numerous other areas. How many people would 20 years of records from Heathrow airport be? (Spoiler - it's about 1.4 billion.)
So no, there isn't a short list of candidates at all - the list is basically any country or any company that deals with internationally transferred data. It's only a short list if you assume it must contain only citizens of a single country or customers of a single company. While that is often the case, there's no reason it must always be so.
So, according to MacKeeper this whole thing involves one huge list used by a group of spammers calling themselves River City Media (RCM). They abused servers and set up a network capable of sending out millions of spam messages.
What bothers me though is reading things like: "Led by known spammers Alvin Slocombe and Matt Ferris, RCM masquerades as a legitimate marketing firm". Known spammers?
A spammer these days is known to abuse network security in order to gain relays to send off all their mess. It's a known fact, even this article speaks about it, using hacking techniques in order to overload and mass send e-mail through legit mailservers.
But apart from detecting all this what are they going to do next? I mean, it's good to read that Spamhaus will be adding the whole RCM structure into their blacklists, but what about the culprits behind all this? Has law enforcement been involved, can the police actually do something, will they actually do something, what?
Although it is good news that MacKeeper opened up the lid of the can here I can't help wonder if this will only result in a temporary setback for these spammer guys. How else can you gain notoriety as a "known spammer" if it wasn't for the fact that you can simply continue what you do best?
Meanwhile our European overlords still haven't decided about the new cookie law reversal. Because yeah, obviously those cookies are far more intrusive than any of this.
" Has law enforcement been involved, can the police actually do something, will they actually do something, what?"
From the article:
Law enforcement was informed about the breach and the questionable activities it exposed. However, we cannot discuss those elements, because the agencies involved cannot comment on pending or ongoing investigations.
It's RCM.
<quote>At its core, RCM is a marketing firm that does email and SMS campaigns. While some of their work is legit, other campaigns ran by the company are questionable to say the least.</quote>
Link to full story: http://www.csoonline.com/article/3176433/security/spammers-expose-their-entire-operation-though-bad-backups.html#tk.twt_cso
https://www.theregister.co.uk/2017/03/06/radioshack_bankruptcy_savior_bankrupt/
It's the dump from the Radio Shack Customer Database of personal info gathered by their salespeople for every transaction since 1921! I'm in there, but I did use fake addresses from time to time. Okay, every time.
It HAS to be!!1! :P