Daily Archives: December 14, 2020

Spotify resets passwords after a security bug exposed users’ private account information – for 6 months

Posted on by

Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners.

In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify.” The company did not name the business partners, but added that Spotify “did not make this information publicly accessible.”

Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12. But like most data breach notices, Spotify did not say what the vulnerability was or how user account data became exposed.

“We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted,” the letter read.

Spotify spokesperson Adam Grossberg confirmed that a “small subset” of Spotify users are affected, but did not provide a specific figure. Spotify has more than 320 million users, and 144 million subscribers.

It’s the second time in as many months that the company has reset user passwords.

Last month security researchers found an unsecured database, likely operated by hackers, allegedly containing around 300,000 stolen user passwords. The database was probably used to launch credential stuffing attacks, in which lists of stolen passwords are matched against different websites that use the same password.

Although in that case the exposed data did not come from Spotify, the company reset the passwords on affected user accounts.

Source: Spotify resets passwords after a security bug exposed users’ private account information | TechCrunch

‘Save Europe from Software Patents’, Urges Nonprofit FFII – DE is trying for 3rd time using underhanded sneaky tactics

Posted on by

Long-time Slashdot reader zoobab shares this update about the long-standing Foundation for a Free Information Infrastructure, a Munich-based non-profit opposing ratification of a “Unified Patent Court” by Germany: The FFII is crowdfunding a constitutional complaint in Germany against the third attempt to impose software patents in Europe, calling on all software companies, independent software developers and FLOSS authors to donate.

The Unitary Patent and its Court will promote patent trolls, without any appeal possible to the European Court of Justice, which won’t be able to rule on patent law, and software patents in particular. The FFII also says that the proposed court system will be more expensive for small companies then the current national court system.
The stakes are high — so the FFII writes that they’re anticipating some tricky counter-maneuvering: Stopping the UPC in Germany will be enough to kill the UPC for the whole Europe… German government believe that they can ratify before the end of the year, as they consider the UK still a member of the EU till 31st December. The agenda of next votes have been designed on purpose to ratify the UPC before the end of the year. FFII expects dirty agenda and political hacks to declare the treaty “into force”, dismiss “constitutional complaints”, while the presence of UK is still problematic.

Source: ‘Save Europe from Software Patents’, Urges Nonprofit FFII – Slashdot

These have been batted off the table before and for very good reason.

Russia Breached Update Server Used by 300,000 Organizations, Including the NSA

Posted on by

Sunday Reuters reported that “a sophisticated hacking group” backed by “a foreign government” has stolen information from America’s Treasury Department, and also from “a U.S. agency responsible for deciding policy around the internet and telecommunications.”

The Washington Post has since attributed the breach to “Russian government hackers,” and discovered it’s “part of a global espionage campaign that stretches back months, according to people familiar with the matter.” Officials were scrambling over the weekend to assess the extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said. The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration… [The Washington Post has also reported this is the group responsible for the FireEye breach. -Ed]

All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter. The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized with in a “highly-sophisticated, targeted…attack by a nation state.” The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds products are used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website. SolarWinds is also used by the top 10 U.S. telecommunications companies…

APT29 compromised the SolarWinds server that sends updates so that any time a customer checks in to request an update, the Russians could hitch a ride on that update to get into a victim’s system, according to a person familiar with the matter. “Monday may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
Reuters described the breach as “so serious it led to a National Security Council meeting at the White House.”

Source: Russia Breached Update Server Used by 300,000 Organizations, Including the NSA – Slashdot

World+dog share in collective panic attack as Google slides off the face of the internet

Posted on by

Google services such as YouTube and Gmail started the week with an almighty bang as the Chocolate Factory’s cloud came crashing to the ground.

Despite an insistence from the company’s various health dashboards that all was fine and dandy, it most definitely was not.

Those seeking distraction in video form were treated to YouTube’s “Something went wrong…” monkey, while others wishing to express their disquiet via Gmail were shown a 502 code or a suggestion to try again in five minutes.

YouTube broken monkey

The issue appears to have afflicted vast swathes of the globe, with users in the Philippines and India joining Europeans and US early birds in being unexpectedly ejected from the Chocolate Factory’s services.

Problems seemed to start at around 11:30 GMT. At time of writing YouTube was inaccessible, Gmail was borked, Drive was down, image search failed (unless an error code was what you were looking for), and Docs didn’t seem happy.

Some things still worked – we found links to existing Google Docs were working and the search for which the company is famed appeared to be running. So there was no need to resort to something like Bing.

Google is no stranger to outages. Pretty much everything from GCP to G Suite fell over into a heap back in August.

As for today’s outage, Google’s Workspace dashboard was aglow with green lights, even if the reality was quite different.

[…]

Source: World+dog share in collective panic attack as Google slides off the face of the internet • The Register