Daily Archives: September 25, 2023

Troy Hunt scours the dark web for your stolen data – a look at HaveIBeenPwned: a 1 man operation

Posted on by

[…] Have I Been Pwned started life as a hobby project. In fact, Troy wasn’t working in the cybersecurity industry until a chance encounter tweaked his curiosity.

[…]

Hackers had stolen the email addresses and passwords of 152 million of Adobe’s customers in November 2013 — including, as it turned out, Troy’s.

Only, he wasn’t an Adobe customer. He did some digging and found that Adobe had acquired another company that he did have an account with, and his data along with it.

But that wasn’t where it ended. Another question weighed on Troy’s mind — one he would soon become synonymous with. Where else had his data been leaked?

So, two months after the Adobe breach, he launched Have I Been Pwned — a website that would answer this exact question for anyone in the world.

Even though it’s grown into an industry behemoth, the day-to-day reality of running the site hasn’t changed all that much since 2013.

[…]

He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims’ names, physical addresses, bank details and other sensitive information.

The idea is to let users find out where their data has been leaked from, but without exposing them to further risk.

Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it’s legitimate and not some kind of scam itself.

He’s not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money.

[…]

These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service.

[…]

the reality is Troy doesn’t answer to an electorate, or even a board.

“He’s not a company that’s audited. He’s just a dude on the web,” says Jane Andrew, an expert on data breaches at the University of Sydney.

“I think it’s so shocking that this is where we find out information about ourselves.

“It’s just one guy facilitating this. It’s a critical global risk.”

She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches.

[…]

Without an effective global regulator, Professor Andrew says, a crucial part of the world’s cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.

[…]

Source: Troy Hunt scours the dark web for your stolen data — but he’s just trying to help – ABC News

T-Mobile US exposes some customer data, but don’t say breach

Posted on by

T-Mobile US has had another bad week on the infosec front – this time stemming from a system glitch that exposed customer account data, followed by allegations of another breach the carrier denied.

According to customers who complained of the issue on Reddit and X, the T-Mobile app was displaying other customers’ data instead of their own – including the strangers’ purchase history, credit card information, and address.

This being T-Mobile’s infamously leaky US operation, people immediately began leaping to the obvious conclusion: another cyber attack or breach.

“There was no cyber attack or breach at T-Mobile,” the telco assured us in an emailed statement. “This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.”

Note, as Reddit poster Jman100_JCMP did, T-Mobile means fewer than 100 customers had their data exposed – but far more appear to have been able to view those 100 customers’ data.

As for the breach, the appearance of exposed T-Mobile data was alleged by malware repository vx-underground’s X (Twitter) account. The Register understands T-Mobile examined the data and determined that independently owned T-Mobile dealer, Connectivity Source, was the source – resulting from a breach it suffered in April. We understand T-Mobile believes vx-underground misinterpreted a data dump.

Connectivity Source was indeed the subject of a breach in April, in which an unknown attacker made off with employee data including names and social security numbers – around 17,835 of them from across the US, where Connectivity appears to do business exclusively as a white-labelled T-Mobile US retailer.

Looks like the carier really dodged the bullet on this one – there’s no way Connectivity Source employees could be mistaken for its own staff.

T-Mobile US has already experienced two prior breaches this year, but that hasn’t imperilled the biz much – its profits have soared recently and some accompanying sizable layoffs will probably keep things in the black for the foreseeable future.

Source: T-Mobile US exposes some customer data, but don’t say breach • The Register

‘Laugh then Think’: Strange Research Honored at 33rd Annual Ig Nobel Prize Ceremony

Posted on by

Since 1999, Slashdot has been covering the annual Ig Nobel prize ceremonies — which honor real scientific research into strange or surprising subjects. “Each winner (or winning team) has done something that makes people LAUGH, then THINK,” explains the ceremony web page, promising that “a gaggle of genuine, genuinely bemused Nobel laureates handed the Ig Nobel Prizes to the new Ig Nobel winners.” As co-founder Marc Abrahams says on his LinkedIn profile, “All these things celebrate the unusual, honor the imaginative — and spur people’s interest in science, medicine, and technology.”

You can watch this year’s entire goofy webcast online. (At 50 minutes there’s a jaw-droppingly weird music video about running on water…) Slashdot reader Thorfinn.au shares this summary of this year’s winning research: CHEMISTRY and GEOLOGY PRIZE [POLAND, UK] — Jan Zalasiewicz, for explaining why many scientists like to lick rocks.

LITERATURE PRIZE [FRANCE, UK, MALAYSIA, FINLAND] — Chris Moulin, Nicole Bell, Merita Turunen, Arina Baharin, and Akira O’Connor for studying the sensations people feel when they repeat a single word many, many, many, many, many, many, many times.

MECHANICAL ENGINEERING PRIZE [INDIA, CHINA, MALAYSIA, USA] — Te Faye Yap, Zhen Liu, Anoop Rajappan, Trevor Shimokusu, and Daniel Preston, for re-animating dead spiders to use as mechanical gripping tools.

PUBLIC HEALTH PRIZE [SOUTH KOREA, USA] — Seung-min Park, for inventing the Stanford Toilet a computer vision system for defecation analysis et al.

COMMUNICATION PRIZE [ARGENTINA, SPAIN, COLOMBIA, CHILE, CHINA, USA] — María José Torres-Prioris, Diana López-Barroso, Estela Càmara, Sol Fittipaldi, Lucas Sedeño, Agustín Ibáñez, Marcelo Berthier, and Adolfo García, for studying the mental activities of people who are expert at speaking backward.

MEDICINE PRIZE [USA, CANADA, MACEDONIA, IRAN, VIETNAM] — Christine Pham, Bobak Hedayati, Kiana Hashemi, Ella Csuka, Tiana Mamaghani, Margit Juhasz, Jamie Wikenheiser, and Natasha Mesinkovska, for using cadavers to explore whether there is an equal number of hairs in each of a person’s two nostrils.

NUTRITION PRIZE [JAPAN] — Homei Miyashita and Hiromi Nakamura, for experiments to determine how electrified chopsticks and drinking straws can change the taste of food.

EDUCATION PRIZE [HONG KONG, CHINA, CANADA, UK, THE NETHERLANDS, IRELAND, USA, JAPAN] — Katy Tam, Cyanea Poon, Victoria Hui, Wijnand van Tilburg, Christy Wong, Vivian Kwong, Gigi Yuen, and Christian Chan, for methodically studying the boredom of teachers and students.

PSYCHOLOGY PRIZE [USA] — Stanley Milgram, Leonard Bickman, and Lawrence Berkowitz for 1968 experiments on a city street to see how many passersby stop to look upward when they see strangers looking upward.

PHYSICS PRIZE [SPAIN, GALICIA, SWITZERLAND, FRANCE, UK] — Bieito Fernández Castro, Marian Peña, Enrique Nogueira, Miguel Gilcoto, Esperanza Broullón, Antonio Comesaña, Damien Bouffard, Alberto C. Naveira Garabato, and Beatriz Mouriño-Carballido, for measuring the extent to which ocean-water mixing is affected by the sexual activity of anchovies.

Source: ‘Laugh then Think’: Strange Research Honored at 33rd Annual Ig Nobel Prize Ceremony – Slashdot