What’s claimed to be more than 183 million records of people’s contact details and employment info has been stolen or otherwise obtained from a data broker and put up for sale by a miscreant.

The underworld merchant, using the handle KryptonZambie, has put a $6,000 price tag on the information in a cybercrime forum posting. They are offering 100,000 records as a sample for interested buyers, and claim the data as a whole includes people’s corporate email addresses, physical addresses, phone numbers, names of employers, job titles, and links to LinkedIn and other social media profiles.

We believe this information is already publicly available, and was gathered up by a data-broker called Pure Incubation, now called DemandScience. That biz told us it was aware of its data being put up for sale, and sought to clarify what had been obtained – business-related contact details that are already out there.

“It is also important to note that we process publicly available business contact information, and do not collect, store, or process consumer data or any type of credential information or sensitive personal information including accounts, passwords, home addresses or other personal, non-business information,” a DemandScience spokesperson said in an email to The Register.

Seems to us this is the circle of data brokerage life. One org scrapes a load of info from the internet to profit from, someone else comes along and gets that info one way or another to profit from, sells it to others to profit from…

[…]

In a subsequent report by HIBP founder and Microsoft regional director Troy Hunt, which includes a screenshot of an email from DemandScience – sent to someone whose info was in the data peddled by KryptonZambie – that blamed the leak on a “system that has been decommissioned for approximately two years.”

[…]

After coming across the pile of data for sale, and hearing from someone whose personal information was swept up in the affair, Hunt said he decided to check whether his own info was included. He did find a decade-old email address and an incorrect job title.

“I’ll be entirely transparent and honest here – my exact words after finding this were ‘motherfucker!’ True story, told uncensored here because I want to impress on the audience how I feel when my data turns up somewhere publicly,” Hunt wrote.

We couldn’t have said it any better ourselves. ®

Source: Business records on 100M+ people swiped, put up for sale • The Register

In October, video game giant Activision said it had fixed a bug in its anti-cheat system that affected “a small number of legitimate player accounts,” who were getting banned because of the bug.

In reality, according to the hacker who found the bug and was exploiting it, they were able to ban “thousands upon thousands” of Call of Duty players, who they essentially framed as cheaters. The hacker, who goes by Vizor, spoke to TechCrunch about the exploit, and told their side of the story.

“I could have done this for years and as long as I target random players and no one famous it would have gone without notice,” said Vizor, who added that it was “funny to abuse the exploit.”

[…]

In 2021, Activision released its Ricochet anti-cheat system, which runs at the kernel level in an attempt to make it even harder for cheat developers to get around it.

Vizor said they were able to find a unique way to exploit Ricochet, and use it against the players it was supposed to protect. The hacker realized Ricochet was using a list of specific hardcoded strings of text as “signatures” to detect hackers. For example, Vizor said, one of the strings was the words “Trigger Bot,” which refers to a type of cheat that automatically triggers a cheater’s weapon when their crosshair is over a target.

Vizor said they could simply send a private message — known as a “whisper” in the game — that included one of these hardcoded strings, such as “Trigger Bot,” and get the player they were messaging banned from the game.

“I realized that Ricochet anti-cheat was likely scanning players’ devices for strings to determine who was a cheater or not. This is fairly normal to do but scanning this much memory space with just an ASCII string and banning off of that is extremely prone to false positives,” said Vizor, referring to how the game was effectively scanning for banned keywords, regardless of context.

[…]

“If you know what signature the anti-cheat is looking for, I find a mechanism to get those bytes in your game process and you get banned,” said the person, who asked to remain anonymous. “I can’t believe [Activision] are banning people on a memory scan of ‘trigger bot.’ That is so incredibly stupid. And they should have been protecting the signatures. That’s amateur hour.”

Apart from random players, Vizor said they targeted some well-known players, too. In the period of time Vizor was using the exploit, some video game streamers posted on X that they had been banned, and then unbanned, once Activision fixed the bug.

The company was alerted of the existence of the bug when Zebleer published details of the exploit on X.

“It was nice to see it get fixed and see unbans,” said Vizor. “I had my fun.”

Source: Hacker says they banned ‘thousands’ of Call of Duty gamers by abusing anti-cheat flaw | TechCrunch

What this article misses is that anti-cheat programs have kernel level access to your system. This means that they are able to not only read anything anywhere on your system, but they are also able to alter whatever they like on your system. It’s not just spyware, but a potential virus or ransomware application just waiting to be hijacked. The ease with which this was exploited shows how dangerous these programs are. Expect more exploits through this route, as they are coded extremely poorly, apparently.

U.S. money transfer giant MoneyGram has confirmed that hackers stole its customers’ personal information and transaction data during a cyberattack last month.

The company said in a statement Monday that an unauthorized third party “accessed and acquired” customer data during the cyberattack on September 20. The cyberattack — the nature of which remains unknown — sparked a week-long outage that resulted in the company’s website and app falling offline.

MoneyGram says it serves over 50 million people in more than 200 countries and territories each year.

In its statement Monday, MoneyGram said its investigation is in its “early stages” and is working to determine which consumers were affected by this issue. The company did not say how many customers might be affected. When reached, MoneyGram spokesperson Sydney Schoolfield did not comment beyond the company’s statement.

The stolen customer data includes names, phone numbers, postal and email addresses, dates of birth, and national identification numbers. The data also includes a “limited number” of Social Security numbers and government identification documents, such as driver’s licenses and other documents that contain personal information, like utility bills and bank account numbers. MoneyGram said the types of stolen data will vary by individual.

MoneyGram said that the stolen data also included transaction information, such as dates and amounts of transactions, and, “for a limited number of consumers, criminal investigation information (such as fraud).”

TechCrunch previously reported that MoneyGram had subsequently notified U.K. data protection regulators of a data breach as required under U.K. law.

Source: MoneyGram says hackers stole customers’ personal information and transaction data | TechCrunch

And… why was this data not encrypted?

[…] A pro-Palestenian hacktivist group called SN_BLACKMETA has taken responsibility for the hack on X and Telegram. “They are under attack because the archive belongs to the USA, and as we all know, this horrendous and hypocritical government supports the genocide that is being carried out by the terrorist state of ‘Israel,’” the group said on X when someone asked them why they’d gone after the Archive.

The group elaborated on its reasoning in a now-deleted post on X. Jason Scott, an archivist at the Archive, screenshotted it and shared it. “Everyone calls this organization ‘non-profit’, but if its roots are truly in the United States, as we believe, then every ‘free’ service they offer bleeds millions of lives. Foreign nations are not carrying their values beyond their borders. Many petty children are crying in the comments and most of those comments are from a group of Zionist bots and fake accounts,” the post said.

SN_BLACKMETA also claimed responsibility for a six-day DDoS attack on the Archive back in May. “Since the attacks began on Sunday, the DDoS intrusion has been launching tens of thousands of fake information requests per second. The source of the attack is unknown,” Chris Freeland, Director of Library Services at the Archive said in a post about the attacks back in May.

SN_BLACKMETA launched its Telegram channel on November 23 and has claimed responsibility for a number of other attacks including a six-day DDoS run at Arab financial institutions and various attacks on Israeli tech companies in the spring.

It’s been a hard year for the Internet Archive. In July, the site went down due to “environmental factors” during a major heat wave in the U.S. Last month it lost an appeal in the lawsuit Hachette and other major publishers launched against it.

“If our patrons around the globe think this latest situation is upsetting, then they should be very worried about what the publishing and recording industries have in mind,” Kahle said in a post about the DDoS attack in May. “I think they are trying to destroy this library entirely and hobble all libraries everywhere. But just as we’re resisting the DDoS attack, we appreciate all the support in pushing back on this unjust litigation against our library and others.”

[…]

Source: Hacktivists Claim Responsibility for Taking Down the Internet Archive

Well done SN_BLACKMETA – you have just played into Israels hands. People who were on the fence about Palestine in the West well definitely now lean towards Israel and away from Palestine 🙁

[…] Today, a group of independent security researchers revealed that they’d found a flaw in a web portal operated by the carmaker Kia that let the researchers reassign control of the Internet-connected features of most modern Kia vehicles—dozens of models representing millions of cars on the road—from the smartphone of a car’s owner to the hackers’ own phone or computer. By exploiting that vulnerability and building their own custom app to send commands to target cars, they were able to scan virtually any Internet-connected Kia vehicle’s license plate and within seconds gain the ability to track that car’s location, unlock the car, honk its horn, or start its ignition at will.

[…]

The web bug they used to hack Kias is, in fact, the second of its kind that they’ve reported to the Hyundai-owned company; they found a similar technique for hijacking Kias’ digital systems last year. And those bugs are just two among a slew of similar web-based vulnerabilities they’ve discovered within the last two years that have affected cars sold by Acura, Genesis, Honda, Hyundai, Infiniti, Toyota, and more.

“The more we’ve looked into this, the more it became very obvious that web security for vehicles is very poor,”

[…]

The Kia hacking technique the group found works by exploiting a relatively simple flaw in the backend of Kia’s web portal for customers and dealers, which is used to set up and manage access to its connected car features. When the researchers sent commands directly to the API of that website—the interface that allows users to interact with its underlying data—they say they found that there was nothing preventing them from accessing the privileges of a Kia dealer, such as assigning or reassigning control of the vehicles’ features to any customer account they created. “It’s really simple. They weren’t checking if a user is a dealer,” says Rivera. “And that’s kind of a big issue.”

Kia’s web portal allowed lookups of cars based on their vehicle identification number (VIN). But the hackers found they could quickly find a car’s VIN after obtaining its license plate number using the website PlateToVin.com.

More broadly, Rivera adds, any dealer using the system seemed to have been trusted with a shocking amount of control over which vehicles’ features were linked with any particular account. “Dealers have way too much power, even over vehicles that don’t touch their lot,” Rivera says.

Source: Flaw in Kia’s web portal let researchers track, hack cars | Ars Technica

Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company’s Microsoft Sharepoint server.

Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services.

Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet’s Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download.

[…]

The threat actor, known as “Fortibitch,” claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay.

In response to our questions about incident, Fortinet confirmed that customer data was stolen from a “third-party cloud-based shared file drive.”

[…]

Earlier today, Fortinet did not disclose how many customers are impacted or what kind of data has been compromised but said that it “communicated directly with customers as appropriate.”

A later update shared on Fortinet’s website says that the incident affected less than 0.3% of its customer base and that it has not resulted in any malicious activity targeting customers.

[…]

In May 2023, a threat actor claimed to have breached the GitHub repositories for the company Panopta, who was acquired by Fortinet in 2020, and leaked stolen data on a Russian-speaking hacking forum.

Source: Fortinet confirms data breach after hacker claims to steal 440GB of files

Ouch. A 440GB leak is huge.

[…]

Today, a group of six computer scientists are revealing a new attack against Apple’s Vision Pro mixed reality headset where exposed eye-tracking data allowed them to decipher what people entered on the device’s virtual keyboard. The attack, dubbed GAZEploit and shared exclusively with WIRED, allowed the researchers to successfully reconstruct passwords, PINs, and messages people typed with their eyes.

“Based on the direction of the eye movement, the hacker can determine which key the victim is now typing,” says Hanqiu Wang, one of the leading researchers involved in the work. They identified the correct letters people typed in passwords 77 percent of the time within five guesses and 92 percent of the time in messages.

To be clear, the researchers did not gain access to Apple’s headset to see what they were viewing. Instead, they worked out what people were typing by remotely analyzing the eye movements of a virtual avatar created by the Vision Pro. This avatar can be used in Zoom calls, Teams, Slack, Reddit, Tinder, Twitter, Skype, and FaceTime.

[…]

 

Source: Apple Vision Pro’s Eye Tracking Exposed What People Type | WIRED

Around 1.7 million people will receive a letter from Florida-based Slim CD, if they haven’t already, after the company detected an intrusion dating back nearly a year.

Slim CD provides payment processing solutions, thus credit card numbers along with their expiry dates are among the data types potentially compromised in the incident.

The cardholder’s name and address may also be affected, meaning potential for financial fraud should that data be sold, although Slim CD says it hasn’t detected any misuse of the data.

[…]

Among the questions we put to the company was why it took so long for the break-in to be detected, and whether it believed there were any failures in its ability to detect such incidents.

A postmortem carried out by the company and third-party experts revealed that the intrusion began on August 17, 2023, but was only discovered “on or about” June 15 this year.

[…]

There was no apology in the letter [PDF] sent to the 1.693 million potentially affected customers, who were instead encouraged to order a free credit report and remain vigilant against any malicious account activity.

Source: 1.7M potentially pwned by payment services provider breach • The Register

Avis Rent A Car System has alerted 299,006 customers across multiple US states that their personal information was stolen in an August data breach.

The digital break-in occurred between August 3 and August 6, according to the car rental giant in filings with the Maine and California attorneys general.

On August 14, Avis determined that sensitive info had been “obtained by the unauthorized third party,” although the sample breach notification letter redacted the specifics, so we can’t say for sure what personal details were stolen.

Avis also cites “insider wrongdoing” under the breach disclosure section in the Maine filing, but doesn’t provide additional details about what happened.

“Since the incident occurred, we have worked with cybersecurity experts to develop a plan to enhance security protections for the impacted business application,” the letter sent to affected consumers says [PDF].

“In addition, we have taken steps to deploy and implement additional safeguards onto our systems, and are actively reviewing our security monitoring and controls to enhance and fortify the same,” it continues.

[…]

According to San Francisco-based law firm Schubert Jonckheer & Kolbe, this information may include customers’ names, addresses, dates of birth, driver’s license numbers, and financial information (including account numbers and credit or debit card numbers).

[…]

Source: Avis alerts 300k car renters that crooks stole their info • The Register

The YubiKey 5, the most widely used hardware token for two-factor authentication based on the FIDO standard, contains a cryptographic flaw that makes the finger-size device vulnerable to cloning when an attacker gains temporary physical access to it, researchers said Tuesday.

The cryptographic flaw, known as a side channel, resides in a small microcontroller used in a large number of other authentication devices, including smartcards used in banking, electronic passports, and the accessing of secure areas. While the researchers have confirmed all YubiKey 5 series models can be cloned, they haven’t tested other devices using the microcontroller, such as the SLE78 made by Infineon and successor microcontrollers known as the Infineon Optiga Trust M and the Infineon Optiga TPM. The researchers suspect that any device using any of these three microcontrollers and the Infineon cryptographic library contains the same vulnerability.

Patching not possible

YubiKey-maker Yubico issued an advisory in coordination with a detailed disclosure report from NinjaLab, the security firm that reverse-engineered the YubiKey 5 series and devised the cloning attack. All YubiKeys running firmware prior to version 5.7—which was released in May and replaces the Infineon cryptolibrary with a custom one—are vulnerable. Updating key firmware on the YubiKey isn’t possible. That leaves all affected YubiKeys permanently vulnerable.

[…]

In this case, the side channel is the amount of time taken during a mathematical calculation known as a modular inversion. The Infineon cryptolibrary failed to implement a common side-channel defense known as constant time as it performs modular inversion operations involving the Elliptic Curve Digital Signature Algorithm. Constant time ensures the time sensitive cryptographic operations execute is uniform rather than variable depending on the specific keys.

More precisely, the side channel is located in the Infineon implementation of the Extended Euclidean Algorithm, a method for, among other things, computing the modular inverse. By using an oscilloscope to measure the electromagnetic radiation while the token is authenticating itself, the researchers can detect tiny execution time differences that reveal a token’s ephemeral ECDSA key, also known as a nonce. Further analysis allows the researchers to extract the secret ECDSA key that underpins the entire security of the token.

[…]

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios.

[…]

A key question that remains unanswered at the moment is what other security devices rely on the three vulnerable Infineon secure modules and use the Infineon cryptolibrary? Infineon has yet to issue an advisory and didn’t respond to an email asking for one. At the moment, there is no known CVE for tracking the vulnerability.

Source: YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel | Ars Technica

A Florida firm has all but confirmed that millions of people’s sensitive personal info was stolen from it by cybercriminals and publicly leaked.

That information, totaling billions of records, includes the names, Social Security numbers, physical and email addresses, and phone numbers of folks in the United States, UK, and Canada. It’s the sort of records data brokers regularly buy and sell.

And it is now available via the dark web for anyone to download and use for fraud.

Back in April, crooks using the online handle USDoD wrote on a cyber-crime forum that they were selling for $3.5 million what was alleged to be 2.9 billion records, across multiple files in a 277GB archive, on US, Canadian, and British citizens, including their aforementioned names and phone and Social Security numbers where relevant, as well as their address histories going back 30 years and details of their parents and relatives.

That silo of personal info was stolen from an outfit called National Public Data, or NPD, a small information broker based in Coral Springs that offers API lookups to other companies for things like background checks. According to USDoD, the stolen data was collected by NPD between 2019 and 2024. The firm likely sourced that info at least from public records at the local, state, and federal level.

A cyber-thief using the handle SXUL pilfered the information and passed it to USDoD to sell, which sparked a lawsuit against NPD at the start of this month.

Some of the stolen information had been leaking out via the dark web in bits and pieces, though last week, someone using the handle Fenice dumped what’s claimed to be 2.7 billion records from that collection onto the internet for anyone to download for free if they know where to look. Note that it is a database with billions of rows, not billions of individuals; there are a lot of inaccuracies in the data, as well as a lot of dead people, and duplication.

After weeks of silence, and countless people starting to get alerts from privacy and anti-fraud services that their personal info has been leaked, NPD has, in cagey language, confirmed it was compromised and that its data was stolen and shared. According to the biz, it was ransacked in December, and the leaks started in April, leading up to now.

[…]

Source: Florida data broker says it was ransacked by cyber-thieves • The Register

[…] New research suggests that certain brands of bike parts have vulnerabilities that could allow them to be remotely compromised during competitions.

The research was unveiled this week at the Usenix Workshop on Offensive Technologies by researchers from Northeastern University and UC San Diego. In their paper, researchers note that, much like modern cars, today’s bicycles are “cyber-physical systems that contain embedded computers and wireless links to enable new types of telemetry and control.” One of the more common cyber-connected systems is the wireless gear shifter, which uses electronic switches instead of traditional control levers to allow bikers shift gears.

Researchers tested shifters sold by Shimano, a Japanese company that is one of the larger cycling parts sellers in the world. Unfortunately, researchers found that Shimano’s shifters are vulnerable to simple “replay attacks” of the sort that are frequently targeted at car fobs. Such attacks, which utilize a radio signal manipulation, allow attackers to capture and weaponize data wirelessly exchanged by hardware parts. In this case, attackers could use such an attack to “unexpectedly shift gears or to jam its shifters and lock the bike into the wrong gear,” Wired writes. Radio hardware necessary to carry out such an attack is relatively inexpensive.

“Security vulnerabilities in wireless gear-shifting systems can critically impact rider safety and performance, particularly in professional bike races,” researchers’ paper notes. “In these races, attackers could exploit these weaknesses to gain an unfair advantage, potentially causing crashes or injuries by manipulating gear shifts or jamming the shifting operation.”

Obviously cheating is common in athletic competitions, so a hackable bicycle would definitely be something to worry about for competitive racers. Researchers highlight this point: “The history of professional cycling’s struggles with illegal performance-enhancing drugs underscores the appeal of such undetectable attacks, which could similarly compromise the sport’s integrity,” they write. “Given these risks, it is essential to adopt an adversary’s viewpoint and ensure that this technology can withstand motivated attackers in the highly competitive environment of professional cycling.”

Gizmodo reached out to Shimano for comment. Last year, the company was the victim of a ransomware attack and, after refusing to pay, had several terabytes of its corporate data spilled onto the internet by the hackers.

[…]

Source: Bicycles Can Be Hacked Now

A secretive network of around 3,000 “ghost” accounts on GitHub has quietly been manipulating pages on the code-hosting website to promote malware and phishing links, according to new research seen by WIRED.

Since at least June last year, according to researchers at cybersecurity company Check Point, a cybercriminal they dubbed “Stargazer Goblin” has been hosting malicious code repositories on the Microsoft-owned platform. GitHub is the world’s largest open-source code website, hosting millions of developers’ work. As well as uploading malicious repositories, Stargazer Goblin has been boosting the pages by using GitHub’s own community tools.

Antonis Terefos, a malware reverse engineer at Check Point who discovered the nefarious behavior, says the persona behind the network uses their false accounts to “star,” “fork,” and “watch” the malicious pages.

[…]

The Stargazers Ghost Network, which Check Point named after one of the first accounts they spotted, has been spreading malicious GitHub repositories that offer downloads of social media, gaming, and cryptocurrency tools. For instance, pages might be claiming to provide code to run a VPN or license a version of Adobe’s Photoshop. These are mostly targeting Windows users, the research says, and aim to capitalize on people potentially searching for free software online.

The operator behind the network charges other hackers to use their services, which Check Point call “distribution as a service.” The harmful network has been spotted sharing various types of ransomware and info-stealer malware, Check Point says, including the Atlantida Stealer, Rhadamanthys, and the Lumma Stealer. Terefos says he discovered the network while researching instances of the Atlantida Stealer. The researcher says the network could be bigger than he expects, as he has also seen legitimate GitHub accounts being taken over using stolen login details.

[…]

The Stargazer Goblin threat actor identified by Check Point sells their services through ads on cybercrime forums and also through a Telegram account. A posts on a Russian-language cybercrime forum advertises 100 stars for $10 and 500 for $50 and says they can provide clones of existing repositories and trusted accounts. “For GitHub, the process looks organic,”

[…]

The Check Point engineer also says he identified one YouTube “ghost” account that was sharing malicious links via video, indicating that the network could be more encompassing. “I think this is not the whole picture,” Terefos says.

Source: A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub | WIRED

[…] The Mumbai-based firm said one of its multisig wallets had suffered a security breach. A multisig wallet requires two or more private keys for authentication. WazirX said its wallet had six signatories, five of whom were with WazirX team. Liminal, which operates a wallet infrastructure firm, said in a statement to TechCrunch that its preliminary investigation had found that a wallet created outside its ecosystem had been compromised.

“The cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents,” said WazirX in a statement on Thursday. “During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.”

Lookchain, a third-party blockchain explorer, reported that more than 200 cryptocurrencies, including 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT and 135 million Gala tokens were “stolen” from the platform.

Blockchain data suggests the attackers are trying to offload the assets using the decentralized exchange Uniswap. Risk-management platform Elliptic reported that the hackers have affiliation with North Korea.

About $230 million in missing assets is significant for WazirX, which reported holdings of about $500 million in its June proof-of-reserves disclosure.

[…]

This is the latest setback for WazirX, which separated from Binance in early 2023 after the two crypto exchanges had a public and high-profile fallout in 2022. Two years after Binance announced it had acquired WazirX, the two companies started a dispute over the ownership of the Indian firm. Binance founder Changpeng Zhao eventually said that the two firms hadn’t been able to conclude the deal and moved to terminate Binance’s businesses with the Indian firm.

Source: WazirX halts withdrawals after losing $230M worth crypto assets in security breach | TechCrunch

In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T said some of the stolen data includes more recent records from January 2, 2023 for a smaller but unspecified number of customers.

The stolen data also includes call records of customers with phone service from other cell carriers that rely on AT&T’s network, the company said.

AT&T said the stolen data “does not contain the content of calls or texts,” but does include calling and texting records that an AT&T phone number interacted with during the six-month period, as well as the total count of a customer’s calls and texts, and call durations — information that is often referred to as metadata. The stolen data does not include the time or date of calls or texts, AT&T said.

Some of the stolen records include cell site identification numbers associated with phone calls and text messages, information that can be used to determine the approximate location of where a call was made or text message sent.

In all, the phone giant said it will notify around 110 million AT&T customers of the data breach, company spokesperson Andrea Huguely told TechCrunch.

AT&T published a website with information for customers about the data incident. AT&T also disclosed the data breach in a filing with regulators before the market opened on Friday.

Breach linked to Snowflake

AT&T said it learned of the data breach on April 19, and that it was unrelated to its earlier security incident in March.

AT&T’s Huguely told TechCrunch that the most recent compromise of customer records were stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting Snowflake’s customers.

[…]

This is the second security incident AT&T has disclosed this year. AT&T was forced to reset the account passcodes of millions of its customers after a cache of customer account information — including encrypted passcodes for accessing AT&T customer accounts — was published on a cybercrime forum. A security researcher told TechCrunch at the time that the encrypted passcodes could be easily decrypted, prompting AT&T to take precautionary action to protect customer accounts.

Source: AT&T says criminals stole phone records of ‘nearly all’ customers in new data breach | TechCrunch

Scalpers have used a security researcher’s findings to reverse-engineer “nontransferable” digital tickets from Ticketmaster and AXS, allowing transfers outside their apps. The workaround was revealed in a lawsuit AXS filed in May against third-party brokers adopting the practice, according to 404 Media, which first reported the news.

The saga began in February when an anonymous security researcher, going by the pseudonym Conduition, published technical details about how Ticketmaster generates its electronic tickets.

[…]

Although the companies claim the practice is strictly a security measure, it also conveniently allows them to control how and when their tickets are resold. (Yay, capitalism?)

Ticketmaster and AXS create their “nontransferable” tickets using rotating barcodes that change every few seconds, preventing working screenshots or printouts. On the back end, it uses similar underlying tech similar to two-factor authentication apps. In addition, the codes are only generated shortly before an event starts, limiting the window for sharing them outside the apps. Without interference from outside parties, the platforms get to lock ticket buyers into their own resale services, giving them vertical control of the entire ecosystem.

That’s where the hackers come in. Using Conduition’s published findings, they extracted the platforms’ secret tokens that generate new tickets, using an Android phone with its Chrome browser connected to Chrome DevTools on a desktop PC. Using the tokens, they create a parallel ticketing infrastructure that regenerates genuine barcodes on other platforms, allowing them to sell working tickets on platforms Ticketmaster and AXS don’t allow. Online reports claim the parallel tickets often work at the gates.

According to 404 Media, AXS’ lawsuit accuses the defendants of selling “counterfeit” tickets (even though they usually work) to “unsuspecting customers.” The court documents allegedly describe the parallel tickets as “created, in whole or in part by one or more of the Defendants illicitly accessing and then mimicking, emulating, or copying tickets from the AXS Platform.”

[…]

404 Media’s entire story is worth reading. More technically minded folks may take an interest in Conduition’s earlier findings, which illustrate what the ticketing behemoths are doing on their back ends to keep the entire ecosystems in their clutches.

Source: Hackers reverse-engineer Ticketmaster’s barcode system to unlock resales on other platforms