Microsoft Informs Outlook Users Of Hack *:
Coming to terms with a hacking and data breach case, Microsoft is reaching out to some users informing them of an Outlook.com hack which exposed data sent over emails to hackers who kept accessing their accounts between January 1 to March 28.
- Founded in 1996, Outlook.com is a web-based suite of webmail, contacts, tasks, and calendaring services developed and offered by Microsoft.
- In an email being sent to affected users, Microsoft claims that apart from the content of the emails including attachments, the hackers could have possibly viewed account email addresses, folder names and subject lines of the mails sent and received.
- The case came into notice when the software giant discovered that credentials of a support agent were compromised for its web mail service which led to unauthorised access into some accounts.
- Even though the software giant ensures that no login details or other personal information were stolen by the hackers, the company is recommending that affected users reset their passwords.
- As of now, it remains undisclosed exactly how many users were affected by the breach.
- This security incident comes weeks after a former security researcher pled guilty to hacking into Microsoft and Nintendo servers for a number of weeks in January 2017, allowing European hackers to access pre-release versions of Windows.
*Source: ET Telecom, April 14, 2019
Hackers Publish Personal Data On Thousands Of Us Police Officers And Federal Agents*:
- A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers.
- The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA.
- The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.
- The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.
- The spreadsheets contained about 4,000 unique records after duplicates were removed, including member names, a mix of personal and government email addresses, job titles, phone numbers and their postal addresses.
- The FBINAA could not be reached for comment outside of business hours.
- In a statement Saturday the FBINAA said it was working with federal authorities to investigate the breach.
- TechCrunch spoke to one of the hackers, who didn’t identify his or her name, through an encrypted chat late Friday.
- The hacker claimed to have “over a million data” [sic] on employees across several U.S. federal agencies and public service organizations.
- It’s not uncommon for data to be stolen and sold in hacker forums and in marketplaces on the dark web, but the hackers said they would offer the data for free to show that they had something “interesting.”
- Unprompted, the hacker sent a link to another FBINAA chapter website they claimed to have hacked.
- When we opened the page in a Tor browser session, the website had been defaced — prominently displaying a screenshot of the encrypted chat moments earlier.
- The hacker — one of more than ten, they said — used public exploits, indicating that many of the websites they hit weren’t up-to-date and had outdated plugins.
- In the encrypted chat, the hacker also provided evidence of other breached websites, including a subdomain belonging to manufacturing giant Foxconn.
- One of the links provided did not need a username or a password but revealed the back-end to a Lotus-based webmail system containing thousands of employee records, including email addresses and phone numbers.
- Their end goal: “Experience and money,” the hacker said.
*Source: Tech Crunch, April 13, 2019
Home Office Apologizes For EU Citizen Data Exposure*:
- The UK's Home Office has issued an apology to hundreds of EU citizens after accidentally sharing their private email addresses.
- All victims were applying for "settled status" in the UK as part of a new program launched last June.
- EU citizens who have been in the UK for a minimum of five years are able to receive settled status, a designation that would let them live and work there after Brexit.
- On April 7, the Home Office sent an email to some applications requesting they resend information – but it didn't check "BCC," exposing contact info for applicants in the email.
- Upon recognizing the mistake, the Home Office sent an email apologizing to affected applicants and requesting they delete the original email.
- It also said it had improved systems to prevent a similar mistake from happening in the future.
- Still, some critics say the process to obtain settled status has proved tedious; others express distrust in the Home Office's ability to handle data.
- This is the second time Home Office has apologized for data misuse in recent days.
- Earlier this week, it confirmed people and organizations listed as having interest in the Windrush scandal compensation scheme were sent emails with email addresses of other interested parties.
*Source: Dark Reading, April 12, 2019
Florida Man Hacks Into Western Union Computers And Steals $32,000*:
- A man from Hollywood is accused of hacking into the computers of a Western Union, and stealing $32,000 using a USB with infected malware, police said.
- According to NBC6, Vasile Savu, is facing numerous charges, including grand theft and identity fraud.
- Investigators believe Savu walked into the Western Union and asked an employee to print out his flight itinerary from his thumb drive.
- According to an affidavit, the drive had malware which distorted the computers and allowed Savu remote access to the computers.
- Savu is accused of stealing $32,000 and for also trying to hack the computers at an Opa-locka Western Union, where employees recognized him and called police.
- Savu appeared in bond court Thursday, where a judge set his bond to $7,500 and ordered house arrest.
- Savu, who is originally from Romania, was also ordered to give up his passport.
*Source: NBC2, April 12, 2019
Aerogrow Discloses Data Breach Of Customers’ Payment Card Information*:
- Indoor gardening system manufacturer AeroGrow has disclosed a data breach that involved customers’ payment card information.
- In a sample data breach notice obtained by the Office of Attorney General for the State of California, AeroGrow senior vice president of finance and accounting Grey H. Gibbs explains that the company learned of the security incident on 4 March 2019.
- Specifically, they found out that a bad actor had leveraged malicious code to obtain payment card information entered by customers between 29 October 2018 and 4 March 2019 into the eCommerce vendor’s payment page.
- This data might have included customers’ payment card numbers, expiration dates and CCV/CVV numbers but none of their personal information.
- Gibbs notes that AeroGrow removed the malicious code and took steps to secure its website after the company learned of the data breach.
- Additionally, Gibbs said that the company would be offering one year of identity protection services to all consumers affected by the data breach.
- This isn’t the first time that AeroGrow has suffered a security incident.
- As revealed in a letter received by the New Hampshire Department of Justice, the garden system manufacturer discovered an incident in May 2015 where an unauthorized actor gained access to the company’s website.
- In so doing, they might have obtained customers’ names, addresses, addresses and payment card data.
- AeroGrow’s data breach notice doesn’t mention who was responsible for this latest security incident.
*Source: Tripwire, April 09, 2019