The IT Privacy and Security Weekly Update don't give a Monkey's for the week ending January 24th., 2023


This week we start with a chimp and end closer to doom.

Between those two completely unrelated bookends, we get news from phone, security, and payments companies that they let a different animal out of the bag.

Hear See Speak no evil
There is some potentially good news with ransomware payments falling across the world and the Supreme court allowing the anonymous defense of section 230.

We have updates from Google and Meta but then get booted out of the airport.

This week’s update is faster-paced than an action movie … and comes with better animal sidekicks too… so let’s get to it!

Global: Mailchimp says it was hacked — again

Email marketing and newsletter giant Mailchimp says it was hacked and that dozens of customers’ data was exposed.

It’s the second time the company was hacked in the past six months. Worse, this breach appears to be almost identical to a previous incident.

Mailchimp said in an unattributed blog post that its security team detected an intruder on January 11 accessing one of its internal tools used by Mailchimp customer support and account administration, though the company did not say for how long the intruder was in its systems if known.

Mailchimp said the hacker targeted its employees and contractors with a social engineering attack.

The hacker then used those compromised employee passwords to gain access to data on 133 Mailchimp accounts, which the company notified of the intrusion.

One of those targeted accounts belongs to e-commerce giant WooCommerce.

In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses, and email addresses of its customers, though it said no customer passwords or other sensitive data was taken.

So what’s the upshot for you? It’s not hard to be annoyed to learn you have this monkey on your back… Again.

US: T-Mobile Suffers Another Data Breach, Affecting 37 Million Accounts

The nation’s second-largest wireless carrier on Thursday disclosed that a “bad actor” took advantage of one of its application programming interfaces to gain data on “approximately 37 million current postpaid and prepaid customer accounts.”

In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the “malicious activity” within a day of learning about it.

T-Mobile also says that the API that was used does not allow for access to “any customer payment card information, Social Security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information.”

According to the filing, the carrier believes that the breach first occurred “on or around” Nov. 25, 2022.

The carrier didn’t learn that a “bad actor” was getting data from its systems until Jan. 5.

The company’s API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts.

The company said in the SEC filing that it has “begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.”

In 2021, T-Mobile suffered a data breach that exposed the data of roughly 76.6 million people.

“T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system,” adds CNET.

So what’s the upshot for you? Second major data exposure in as many years. What did they upgrade their data protection system with?

Global: GoTo Says Hackers Stole Customers’ Backups and Encryption Key

GoTo provides a platform for cloud-based remote working, collaboration, and communication, as well as remote IT management and technical support solutions.

In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass.

At the time, the impact on the client data had yet to become known as the company’s investigation into the incident with the help of cybersecurity firm Mandiant had just begun.

The internal investigation so far has revealed that the incident had a significant impact on GoTo’s customers.

According to a GoTo’s security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility,” reads the notice to customers

So what’s the upshot for you? And for a great study in how not to handle a breach, “LastPass” and “GoTo” top the list.

By the way, we still have not heard of any LastPass users being notified about the breach.

Having just deposited our teeny-tiny Equifax settlement check, we’d definitely be betting on a class action lawsuit for LastPass.

Global: PayPal accounts breached in large-scale credential stuffing attack

PayPal is sending out data breach notifications to thousands of users who had their accounts accessed through credential stuffing attacks that exposed some personal data.

Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.

This type of attack relies on an automated approach with bots running lists of credentials to “stuff” into login portals for various services.

Credential stuffing targets users that employ the same password for multiple online accounts, which is known as “password recycling.”

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022.

The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts.

By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials.

The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.

According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident.

During the two days, hackers had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

So what’s the upshot for you? Here’s hoping you have a unique account login, complex password, and 2FA on your PayPal account.

Global: Fewer Companies Are Paying Ransoms To Hackers, Researchers Say

In findings published on Thursday, the blockchain forensics firm estimated that ransom payments – which are almost always paid in cryptocurrency – fell to $456.8 million in 2022 from $765.6 million in 2021, a 40% drop.

“That doesn’t mean attacks are down, or at least not as much as the drastic dropoff in payments would suggest,” according to the report.

“Instead, we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.”

Chainalysis also said the actual totals could be much higher, as there are cryptocurrency addresses controlled by ransomware attackers that its researchers haven’t yet identified.

So what’s the upshot for you? It’s hard for us to believe that the Ransomware trade has dropped off. Call us doubters.

Global: You should change your password manager’s clipboard settings now

Password managers are probably the safest way to establish and manage secure passwords, but they aren’t bulletproof. One security setting, in particular, is perhaps a bit too lax in some managers, which could give attackers a way to grab users’ passwords in certain situations.

Some password managers like Bitwarden and Keeper never clear the clipboard on their default settings.

That means that once you use a password with either of those managers, your username and password sit in the clipboard indefinitely, accessible to any other application on your system.

Using cloud clipboards could let other apps access that information even if users don’t paste the text.

The setting to make your password manager clear the clipboard after a set amount of time is found under Settings in Keeper and NordPass and Settings > Options in Bitwarden.

You can find it in each manager’s desktop app, mobile app, or browser extension.

NordPass defaults to 30 seconds, and it would be prudent for other password manager developers to change their defaults to something similar.

So what’s the upshot for you? This update is easy enough to do on your password manager and is a recommended step to take. Just Do It!

Global: Adobe Says it isn’t Using Your Photos to Train AI Image Generators

In early January, Adobe came under fire for the language used in its terms and conditions that seemed to indicate that it could use photographers’ photos to train generative artificial intelligence systems.

The company has reiterated that this is not the case.

The language of its “Content analysis” section in its Privacy and Personal Data settings says that by default, users give Adobe permission to “analyze content using techniques such as machine learning (e.g., for pattern recognition) to develop and improve our products and services.”

That sounded a lot like artificial intelligence-based (AI) image generators.

One of the sticking points of this particular section is that Adobe makes it an opt-out, not an opt-in, so many photographers likely had no idea they were already agreeing to it.

“Machine learning-enabled features can help you become more efficient and creative,” Adobe explains. “For example, we may use machine learning-enabled features to help you organize and edit your images more quickly and accurately. With object recognition in Lightroom, we can auto-tag photos of your dog or cat.”

When pressed for comment in PetaPixel’s original coverage on January 5, Adobe didn’t immediately respond, leaving many to assume the worst.

However, a day later, the company did provide some clarity on the issue to PetaPixel that some photographers may have missed.

“We give customers full control of their privacy preferences and settings. The policy in discussion is not new and has been in place for a decade to help us enhance our products for customers. For anyone who prefers their content be excluded from the analysis, we offer that option here,” a spokesperson from Adobe’s public affairs office told PetaPixel.

"When it comes to Generative AI, Adobe does not use any data stored on customers’ Creative Cloud accounts to train its experimental Generative AI features.

We are currently reviewing our policy to better define Generative AI use cases."

So what’s the upshot for you?
In an interview with Bloomberg, Adobe Chief Product Officer Scott Belsky said: "We are rolling out a new evolution of this policy that is more specific.

If we ever allow people to opt-in for generative AI specifically, we need to call it out and explain how we’re using it."

“We have to be very explicit about these things.” ← we agree!

US: Little-Known Surveillance Program Captures Money Transfers Between U.S. and More Than 20 Countries

Hundreds of federal, state, and local U.S. law-enforcement agencies have access without court oversight to a database of more than 150 million money transfers between people in the U.S. and in more than 20 countries, according to internal program documents and an investigation by Sen. Ron Wyden.

The database, housed at a little-known nonprofit called the Transaction Record Analysis Center, or TRAC, was set up by the Arizona state attorney general’s office in 2014 as part of a settlement reached with Western Union to combat cross-border trafficking of drugs and people from Mexico.

It has since expanded to allow officials of more than 600 law-enforcement entities – from federal agencies such as the Federal Bureau of Investigation, the Drug Enforcement Administration, and Immigration and Customs Enforcement to small-town police departments in nearly every state – to monitor the flow of funds through money services between the U.S. and countries around the world.

TRAC’s data includes the full names of the sender and recipient as well as the transaction amount.

Rich Lebel, TRAC’s director, said the program has directly resulted in hundreds of leads and busts involving drug cartels and other criminals seeking to launder money and has revealed patterns of money flow that help law-enforcement agencies get a broader grasp on smuggling networks.

“It’s a law-enforcement investigative tool,” Mr. Lebel said. “We don’t broadcast it to the world, but we don’t run from or hide from it either.”

Mr. Wyden, an Oregon Democrat, said TRAC allows the government to “serve itself an all-you-can-eat buffet of Americans’ personal financial data while bypassing the normal protections for Americans’ privacy.”

Internal records, including TRAC meeting minutes and copies of 140 subpoenas from the Arizona attorney general, were obtained by the American Civil Liberties Union and reviewed by The Wall Street Journal.

They show that any authorized law-enforcement agency can query the data without a warrant to examine the transactions of people inside the U.S. for evidence of money laundering and other crimes.

One slideshow prepared by a TRAC investigator showed how the program’s data could be used to scan for categories such as “Middle Eastern/Arabic names” in bulk transaction records.

So what’s the upshot for you? More of just what we needed.

Soon we could be reporting on what isn’t tracked, it could become the less common news.

US: Editorial: Enough is enough. Confirm Sohn to FCC, restore net neutrality

Why hasn’t America restored net neutrality protections?

“President Biden’s nomination to serve on the Federal Communications Commission has been stalled in the Senate for more than a year,” complain the editorial boards of two Silicon Valley newspapers.

Confirming Gigi Sohn would end the 2-2 deadlock on the FCC that is keeping Biden from fulfilling his campaign promise to restore net neutrality, ensuring that all internet traffic is treated equally.

Polls show that 75% of Americans support net neutrality rules. They know that an open internet is essential for innovation and economic growth, for fostering the next generation of entrepreneurs…

[T]elecommunication giants such as AT&T, Verizon, and Comcast don’t want that to happen.

They favor the status quo that allows internet companies to pick winners and losers by charging content providers higher rates for speedier access to customers.

They seek to expand the cable system model and allow kingmakers to rake in billions at the expense of smaller, new startups that struggle to gain a wider audience on their slow-speed offerings.

So Republicans and a handful of Democrats are holding up Sohn’s confirmation, claiming that her “radical” views disqualify her…

They also object to Sohn’s current service as an Electronic Frontier Foundation board member, saying it proves she wouldn’t be an unbiased and impartial FCC Commissioner.

The San Francisco-based EFF is a leading nonprofit with a mission of defending digital privacy, free speech, and innovation…

So what’s the upshot for you? Currently, in the US, Internet traffic can be prioritized and deprioritized as the Internet Service Provider sees fit, or, most profitable.

US: Supreme Court Allows Reddit Mods To Anonymously Defend Section 230

Over the past few days, dozens of tech companies have filed briefs supporting Google in a Supreme Court case that tests online platforms’ liability for recommending content.

Obvious stakeholders like Meta and Twitter, alongside popular platforms like Craigslist, Etsy, Wikipedia, Roblox, and Tripadvisor, urged the court to uphold Section 230 immunity in the case or risk muddying the paths users rely on to connect with each other and discover information online.

Out of all these briefs, however, Reddit’s was perhaps the most persuasive.

The platform argued on behalf of everyday Internet users, whom it claims could be buried in “frivolous” lawsuits for frequenting Reddit, if Section 230 is weakened by the court.

Unlike other companies that hire content moderators, the content that Reddit displays is “primarily driven by humans – not by centralized algorithms.”

Because of this, Reddit’s brief paints a picture of trolls suing not major social media companies, but individuals who get no compensation for their work recommending content in communities.

That legal threat extends to both volunteer content moderators, Reddit argued, as well as more casual users who collect Reddit “karma” by upvoting and downvoting posts to help surface the most engaging content in their communities.

“Section 230 of the Communications Decency Act famously protects Internet platforms from liability, yet what’s missing from the discussion is that it crucially protects Internet users – everyday people – when they participate in moderation like removing unwanted content from their communities, or users upvoting and downvoting posts,” a Reddit spokesperson told Ars.

Reddit argues in the brief that such frivolous lawsuits have been lobbed against Reddit users and the company in the past, and Section 230 protections historically have consistently allowed Reddit users to “quickly and inexpensively” avoid litigation.

The Supreme Court will have to weigh whether Reddit’s arguments are valid.

To help make its case defending Section 230 immunity protections for recommending content, Reddit received special permission from the Supreme Court to include anonymous comments from Reddit mods in its brief.

This, Reddit’s spokesperson notes, is “a significant departure from normal Supreme Court procedure.” The Electronic Frontier Foundation, a nonprofit defending online privacy, championed the court’s decision to allow moderators to contribute comments anonymously.

“We’re happy the Supreme Court recognized the First Amendment rights of Reddit moderators to speak to the court about their concerns,” EFF’s senior staff attorney, Sophia Cope, told Ars.

“It is quite understandable why those individuals may be hesitant to identify themselves should they be subject to liability in the future for moderating others’ speech on Reddit.”

"Reddit users that interact with third-party content – including ‘hosting’ content on a sub-Reddit that they manage, or moderating that content – could definitely be open to legal exposure if the Court carves out “recommending’ from Section 230’s protections, or otherwise narrows Section 230’s reach.”

So what’s the upshot for you? This story, which started with Google’s recommendation algorithms, moves in a different direction when the recommendations come from real people.

Stay tuned for more!

Global: Do you Grogu?

Since 2021, Google has included ultra-wideband (UWB) connectivity in its high-end “Pro” phones like the Pixel 6 Pro and Pixel 7 Pro.

For now, the hardware has only been used for niche cases like unlocking a luxury car or sending files to a friend, but it’s been clear that Google intends for UWB to be used more often.

To build up its own “Finder Network,” compete with Apple AirTags, and potentially make UWB more useful on Pixel phones, Google is reportedly developing its own tracking accessory.

The tracker is said to be in development under the codename “Grogu” – a reference to the popular Star Wars series “The Mandalorian” – alongside the alternate names “GR10” and “Groguaudio.”

The only other tidbits that have been uncovered so far suggest that the Nest team is seemingly taking lead on the development and that the tracker may be available in multiple colors.

The “Groguaudio” codename suggests that Google’s tracker would potentially come equipped with a speaker.

On Apple’s AirTags, a built-in speaker serves as both a privacy measure and a location aid, as if you move someone else’s AirTag after it’s been separated from them, it will beep.

This is just one of many potential privacy issues that Google will need to work through before launching a tracker accessory like this one.

So what’s the upshot for you? More tracking. Catchy name. Yawn…

Global: Quiet Mode coming to Instagram

Thursday Instagram launched “Quiet mode” to "help people focus, and to encourage people to set boundaries with friends and followers.

Once enabled, you won’t receive any notifications, your profile’s activity status will change to ‘In quiet mode’ and we’ll automatically send an auto-reply when someone DMs you… and once the feature is turned off, we’ll show you a quick summary of notifications so you can catch up on what you missed."

The move “comes as Instagram faces mounting criticism over its effect on the mental health of teens, especially teenage girls.”

Since then, the company has been making several changes focused on the safety of its younger users, including tightening default content settings for teens, nudging teens away from the content they continuously browse through and introducing restrictions on how advertisers can target teens.

Instagram will specifically prompt teen users to toggle on Quiet Mode “when they spend a specific amount of time on Instagram late at night.”

However, the platform doesn’t state how much time teens have to spend on the app to see the prompt and also doesn’t say what timeframe it considers “late at night.” Meta spokesperson Liza Crenshaw says the notification will appear after “several minutes.”

Quiet mode launched Thursday in the U.S., Canada, the United Kingdom, Ireland, and New Zealand, with launches in other countries planned soon.

The company’s rolling out a new Accounts Center that lets you manage your preferences across all your Meta accounts from a centralized hub. The revamped Accounts Center will live in the settings menu on Facebook, Instagram, and Messenger, which means you can adjust your account settings for Facebook from Instagram — and vice versa…

Some of the settings you can toggle include personal details, passwords, security, ad preferences, and payments as well as the permissions you’ve given each app.

It doesn’t appear that Meta will put all of your accounts in the Accounts Center by default, so you’ll need to add them manually.

The feature launched Thursday and will roll out gradually to all users on Facebook, Messenger, and Instagram in “the coming months.”

So what’s the upshot for you? Now all you have to figure out is how to convince a teen to turn it on.

CH: Were you on the U.S. 2019 “No-Fly” list?

An unsecured server discovered by a security researcher last week contained the identities of hundreds of thousands of individuals from the U.S. government’s Terrorist Screening Database and “No Fly List.”

Located by the Swiss hacker known as maia arson crimew, the server, run by the U.S. national airline CommuteAir, was left exposed on the public internet.

It revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees.

Analysis of the server resulted in the discovery of a text file named “NoFly.csv,” a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to having suspected or known ties to terrorist organizations.

The list, according to crimew, appeared to have more than 1.5 million entries in total.

The data included names as well as birth dates.

It also included multiple aliases, placing the number of unique individuals at far less than 1.5 million.

In a statement to the Daily Dot, CommuteAir said that the exposed infrastructure, which it described as a development server, was used for testing purposes.

CommuteAir added that the server, which was taken offline prior to publication after being flagged by the Daily Dot, did not expose any customer information based on an initial investigation.

CommuteAir also confirmed the legitimacy of the data, stating that it was a version of the “federal no-fly list” from roughly four years prior.

The server also held the passport numbers, addresses, and phone numbers of roughly 900 company employees.

User credentials to more than 40 Amazon S3 buckets and servers run by CommuteAir were also exposed.

So what’s the upshot for you? Perhaps not you, but 1.5 million people were.

Global: 90 seconds closer to Doom

The hands of the Doomsday Clock are closer to midnight than ever before, with humanity facing a time of “unprecedented danger” that has increased the likelihood of a human-caused apocalypse, a group of scientists announced Tuesday.

The Bulletin of Atomic Scientists – a nonprofit organization made up of scientists, former political leaders, and security and technology experts – moved the hands of the symbolic clock 10 seconds forward, to 90 seconds to midnight.

The adjustment, made in response to threats from nuclear weapons, climate change, and infectious diseases such as Covid-19, is the closest the clock has been to symbolic doom since it was created more than 75 years ago.

“We are living in a time of unprecedented danger, and the Doomsday Clock time reflects that reality,” Rachel Bronson, president and CEO of the Bulletin of the Atomic Scientists, said in a statement, adding that “it’s a decision our experts do not take lightly.”

The Doomsday Clock was created to convey the proximity of catastrophic threats to humanity, serving as a metaphor for public and world leaders, rather than a predictive tool.

When it was unveiled in 1947, the clock was set at 7 minutes to midnight, with “midnight” signifying a human-caused apocalypse.

At the height of the Cold War, it was set at 2 minutes to midnight.

In 2020, the Bulletin set the Doomsday Clock at 100 seconds to midnight, the first time it had moved within the two-minute mark.

For the next two years, the hands were left unchanged.

So what’s the upshot for you? Interestingly, it doesn’t look like the hands have ever retreated, only moved closer to “Midnight”

Our quote of the week: "There’s a certain feeling that happens when a new technology adjusts your thinking about computing. Google did it. Firefox did it. AWS did it. iPhone did it. OpenAI is doing it with ChatGPT.” ~Aaron Levie


That’s it for this week. Stay safe, stay secure, don’t pat the monkey, and see you in se7en.