T-Mobile has confirmed that there was a data breach that affected at least 48 million people earlier this week. This number could rise as the company investigates further. This data set includes sensitive information such as social security numbers, driver license details, and reportedly the unique IMEI numbers for each smartphone. The majority of the victims are not T-Mobile customers, but former or potential customers who applied for credit with T-Mobile at one time. Although a class action lawsuit has been filed, the arbitration clause in T-Mobile customer contracts may prove to be a hindrance in the path to restitution.
We also looked at ThroughTek Kalay's worrisome flaws, which is a software development kit that powers millions of video-internet-of-things devices. This includes baby monitors, security cameras, etc. Researchers demonstrated that attackers could exploit the flaws to view video feeds in real-time or shut them down using denial-of service attacks. ThroughTek issued an update in 2018 with mitigation options, but no instructions for customers on how to implement them.
After a 2017 Google Docs trojan exposed the vulnerability of the platform to fraudsters, Google made changes to Workspace. However, a security researcher proved that the system is still vulnerable to being abused by dedicated hackers.
Hundreds of civil rights groups have reacted strongly to Apple's controversial system, which would use iPhones to find child sexual abuse material. China has been a powerful propaganda force for many years. Recently, it has turned its attention towards the BBC and attacked various lines of reporting that are not in line with the country's interests. We also created a guide on how to send messages that disappear in popular chat apps.
There's more! Every week, we bring you all the security news WIRED hasn't covered in depth. To read the complete stories, click on the headlines. Stay safe out there.
It has been a busy month for cryptocurrency theft. Last week, it was Poly Network that saw a hacker steal more than $610 million in digital coins. The hacker eventually returned most of the money. It's now Liquid's turn. According to the Japanese cryptocurrency exchange, its "warm" wallets are those that can be connected to the internet. This is in contrast to its "cold" wallets which were not compromised in a hack that saw $97 million in bitcoin, ethereum and other coins stolen. Although Liquid claimed that it had moved assets to cold wallets in response, the damage was already done.
Elliot Carter operates a site called WashingtonTunnels.com, which really delivers on its name. The DC Underground Atlas provides a detailed overview of the subterranean passageways that lead to Washington, DC. It attracts a steady stream rather than large traffic spikes, as you can imagine. This was true up until the rioters invaded the US Capitol Building. Carter said that he noticed a spike in visitors to the DC-area NBC affiliate around that time. Many of these were coming from anonymous message boards, sites, and forums named after militias or firearms or using Donald Trump's name. Suspicious! Carter reported the activity the FBI and it was confirmed a few days later.
Unfortunately, hackers have compromised the US Census Bureau's January 2020 data in a way that was both preventable and embarrassing. The good news is, or at the very least, less bad news, that hackers did not get any actual census results. Citrix, a software company, had revealed a vulnerability a few weeks before they gained access to servers. This was the same day that GitHub published a proof-of-concept for exploiting that flaw. The Office of the Inspector general provided a timeline. Although the Census Bureau firewall stopped the attackers communicating with their command-and-control server within a few days, it took the agency several weeks to fully mitigate the intrusion.
Apple is known for its strict anti-leakage policy. They have a team consisting of investigators who work to reduce the risk of corporate secrets being leaked and minimize the negative consequences. According to a Motherboard report, they have also recruited at least one person from the community who trades in illegal Apple hardware and documents. According to the informant, he approached Apple rather than the opposite. However, their relationship ended in disrepute. This article is worth reading to gain insight into Apple's anti leak squad and the people they attempt to track down.
Here are more great WIRED stories
