Month in Review, Part 1: Database Breaches, Compromised Passwords
Posted on by Joshua Long
When it comes to computer security news, the past month or so has been pretty jam-packed. Following are some particularly interesting or noteworthy security news stories you might have missed.
Apple Developer and Employee Contact Info Leaked
First let’s talk about the Apple developer site breach. Apple briefly took its developer site offline at the end of April. 9to5Mac reported that this wasn’t merely due to routine maintenance; Apple was also fixing a vulnerability that allowed for attackers to gain access to all contact information for everyone with a developer account (including free accounts) and every Apple retail and corporate employee.
This means that anyone could potentially have gotten the personal contact information for high-profile Apple executives such as CEO Tim Cook, or (as pointed out by Ken Ray on his Mac OS Ken podcast) noteworthy developers like Dong Ngyuen, the creator of Flappy Bird, who famously pulled his app from the iOS App Store after it became famous.
A developer named Jesse Järvi discovered the vulnerability and reported it privately to Apple. According to Järvi, Apple’s security team didn’t seem to take the threat seriously, so he brought it to the attention of 9to5Mac (along with evidence: the personal contact information of several 9to5Mac staff members).
Apple did not issue a statement about the breach, and it is not known whether anyone else may have gained unauthorized access to the personal information in the developer and employee database prior to Järvi’s discovery.
AOL User Database Breach Confirmed – Password Change Needed
Around this time last month, many users of AOL’s e-mail service found that their accounts seemed to be sending spam to people in their contacts list. So many people were affected that the hashtag #AOLHacked began trending on Twitter. AOL initially claimed in a blog post that the problem was simply a matter of spammers spoofing e-mail headers to make it appear that spam was coming from @aol.com e-mail addresses. This response was met with some resistance because it didn’t seem to make sense that spoofing alone could account for spam being sent to a user’s own private list of contacts.
AOL reiterated its spoofing claim in an e-mail that was gradualy sent to AOL Mail users throughout late April and early May, stating, “These emails do not originate from the AOL Mail system,” and the company was “working with other email providers like Gmail, Yahoo! Mail and Outlook·com to stamp out spoofing across the industry.”
The e-mail was several paragraphs long, so many users probably stopped reading at that point (if they even got that far in the first place) and might have missed the really important revelation that followed:
“…we have determined that there was unauthorized access to AOL users’ email addresses, postal addresses, contact information (as stored in the AOL Mail ‘Address Book’), encrypted account passwords, and encrypted answers to security questions that we ask when a user resets his or her password.”
Yikes, that’s not good. (And let’s hope they really meant “properly hashed and salted” instead of just “encrypted.”)
On the bright side—possibly—AOL also stated, “There is no indication that this incident resulted in disclosure of users’ financial information, including debit and credit cards, which is also fully encrypted.”
Of course, that could be interpreted to mean that encrypted credit and debit card information may also have been stolen. After all, payment card information would normally be associated with customers’ postal addresses, which AOL admits were leaked.
If nothing else, be sure to change your password on any AOL accounts you still have, and let other AOL users know that they need to log in and change their passwords.
Bitly Account Credentials Compromised – Password Change Needed
Popular URL shortening service Bitly (bit.ly) recently disclosed, “We have reason to believe that Bitly account credentials have been compromised; specifically, users’ email addresses, encrypted passwords, API keys and OAuth tokens.”
(Hmm, there’s that ambiguous phrase “encrypted passwords” again. Sigh.)
Although Bitly is unaware of accounts having been used without permission, the company is urging users to change their passwords and follow additional security steps outlined at bit.ly/SecurityDetails.
eBay User Database Compromised – Password Change Needed
As if all those major site breaches weren’t enough, last week eBay also came forward and announced that a “cyberattack” in late February or early March, about three months ago, “compromised a database containing encrypted passwords[*] and other non-financial data,” which included names, e-mail addresses, physical addresses, phone numbers, and dates of birth.
With a reported 145 million records, obtaining that database sounds like a dream come true for identity thieves and other fraudsters.
(*And seriously, “encrypted passwords” again??)
There’s not much anyone can do about the leakage of all their private contact information and date of birth, but eBay users are being encouraged to log in and change their account passwords.
Stay tuned for Month in Review, Part 2: Vulnerabilities and Patches.