Category: privacy

“We have hacked a branch in United States to one of the biggest automotive manufacturer in the world (TOYOTA). We are really glad to share the files with you here for free. The data size: 240 GB,” the threat actor claims. “Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. We also offer you AD-Recon for all the target network with passwords.” While Toyota hasn’t shared the date of the breach, BleepingComputer found that the files had been stolen or at least created on December 25, 2022. This date could indicate that the threat actor gained access to a backup server where the data was stored. “We are aware of the situation. The issue is limited in scope and is not a system wide issue,” Toyota told BleepingComputer. The company added that it’s “engaged with those who are impacted and will provide assistance if needed.”

Following last week’s story on the breadth of the NPD breach, a reader alerted KrebsOnSecurity that a sister NPD property — the background search service recordscheck.net — was hosting an archive that included the usernames and password for the site’s administrator. A review of that archive, which was available from the Records Check website until just before publication this morning (August 19), shows it includes the source code and plain text usernames and passwords for different components of recordscheck.net, which is visually similar to nationalpublicdata.com and features identical login pages. The exposed archive, which was named “members.zip,” indicates RecordsCheck users were all initially assigned the same six-character password and instructed to change it, but many did not. According to the breach tracking service Constella Intelligence, the passwords included in the source code archive are identical to credentials exposed in previous data breaches that involved email accounts belonging to NPD’s founder, an actor and retired sheriff’s deputy from Florida named Salvatore “Sal” Verini.

Reached via email, Mr. Verini said the exposed archive (a .zip file) containing recordscheck.net credentials has been removed from the company’s website, and that the site is slated to cease operations “in the next week or so.” “Regarding the zip, it has been removed but was an old version of the site with non-working code and passwords,” Verini told KrebsOnSecurity. “Regarding your question, it is an active investigation, in which we cannot comment on at this point. But once we can, we will [be] with you, as we follow your blog. Very informative.” The leaked recordscheck.net source code indicates the website was created by a web development firm based in Lahore, Pakistan called creationnext.com, which did not return messages seeking comment. CreationNext.com’s homepage features a positive testimonial from Sal Verini.

In the statement disclosing the security incident, National Public Data says that “the information that was suspected of being breached contained name, email address, phone number, social security number, and mailing address(es).” The company acknowledges the “leaks of certain data in April 2024 and summer 2024” and believes the breach is associated with a threat actor “that was trying to hack into data in late December 2023.” NPD says they investigated the incident, cooperated with law enforcement, and reviewed the potentially affected records. If significant developments occur, the company “will try to notify” the impacted individuals.

Epic Games CEO Tim Sweeney commented on Apple’s ‘Find My’ service, referring to it as “super creepy surveillance tech” that “shouldn’t exist.” Sweeney went on to explain that several years ago, “a kid” stole a Mac laptop out of his car. Years later, Sweeney was checking Find My, and as the Mac was still connected to his Apple ID account, it showed him the location where the thief lived.

When someone asked Sweeney if he’d at least gotten his laptop back, Sweeney answered “No. I was creeped the hell out by having unexpectedly received the kid’s address, and turned off Find My iPhone on all of my devices.”

Slashdot reader crmarvin42 quipped “Tell me you are stupidly rich, without telling me you are stupidly rich… Next someone will be saying that it is ‘Creepy’ to have security footage of someone taking your Amazon packages off of your porch.” And they also questioned Sweeney’s sincerity, suggesting that he’s “just saying that to try and make Apple look bad because of all the lawsuits going on.”

MacRumors followed the ensuing discussion:
Sweeney said that the location of a device in someone’s possession can’t be tracked without tracking the person, and “people have a right to privacy.” [“This right applies to second hand device buyers and even to thieves.”] He claims that detection and recovery of a lost or stolen device should be “mediated by due process of law” and not exposed to the device owner “in vigilante fashion.”
Some responded to Sweeney’s comments by sharing the headline of a Vox news story about Epic’s own privacy polices. (“Fortnite maker Epic Games has to pay $520 million for tricking kids and violating their privacy.”)

MacRumors cited a 2014 report that thefts of iPhones dropped after the introduction of Apple’s “Activation Lock” feature (which prevents the disabling of ‘Find My’ without a password).

But when the blog AppleInsider accused Sweeney of “an incredibly bad leap of logic” — Sweeney responded. “You’re idealizing this issue as good guys tracking criminals to their lairs, but when Find My or Google’s similar tech points a device owner to a device possessor’s home, one must anticipate the presence of families and kids and innocent used device buyers, and ask whether it’s really appropriate for a platform to use GPS and shadowy mesh network tech to set up physical confrontations among individuals.”

Sweeney also posted a quote from Steve Jobs about how at Apple, “we worry that some 14-year-old is going to get stalked and something terrible is going to happen because of our phone.”

All 32 NFL stadiums will start using the technology this season, after the league signed a contract with a company that uses facial scans to verify the identity of people entering event venues and other secure spaces.

The facial authentication platform, which counts the Cleveland Browns’ owners as investors, will be used to “streamline and secure” entry for thousands of credentialed media, officials, staff and guests so they can easily access restricted areas such as press boxes and locker rooms, Jeff Boehm, the chief operating officer of Wicket, said in a LinkedIn post Monday. “Credential holders simply take a selfie before they come, and then Wicket verifies their identity and checks their credentials with Accredit (a credentialing platform) as they walk through security checkpoints,” Boehm added.

Wicket technology was deployed in a handful of NFL stadiums last year as part of a pilot program. Other stadiums will start rolling it out beginning on Aug. 8, when the pre-season kicks off. Some teams also have extended their use of the technology to scan the faces of ticket holders. The Cleveland Browns, Atlanta Falcons and New York Mets all have used the company’s facial authentication software to authenticate fans with tickets, according to Stadium Tech Report. “Fans come look at the tablet and, instantly, the tablet recognizes the fan,” Brandon Covert, the vice president of information technology for the Cleveland Browns, said in a testimonial appearing on Wicket’s website. “It’s almost a half-second stop. It’s not even a stop — more of a pause.”

“The Browns also use Wicket to verify the ages of fans purchasing alcohol at concession stands, according to Wicket’s LinkedIn page,” the article points out.

And a July report from Privacy International found that 25 of the top 100 soccer stadiums in the world are already using facial recognition technology.

Thanks to long-time Slashdot reader schwit1 for sharing the news.

In 2011, Meta introduced a feature known as Tag Suggestions to make it easier for users to tag people in their photos. According to Paxton’s office, the feature was turned on by default and ran facial recognition on users’ photos, automatically capturing data protected by the 2009 law. That system was discontinued in 2021, with Meta saying it deleted over 1 billion people’s individual facial recognition data. As part of the settlement, Meta must notify the attorney general’s office of anticipated or ongoing activities that may fall under the state’s biometric data laws. If Texas objects, the parties have 60 days to attempt to resolve the issue. Meta officials said the settlement will make it easier for the company to discuss the implications and requirements of the state’s biometric data laws with the attorney general’s office, adding that data protection and privacy are core priorities for the firm.

Nearly seven years later, CNN launched their own investigation of “Airbnb’s hidden camera problem”.

CNN: “Across North America, police have seized thousands of images from hidden cameras at Airbnb rentals, including people’s most intimate moments… It’s more than just a few reported cases. And Airbnb knows it’s a problem. In this deposition reviewed by CNN, an Airbnb rep said 35,000 customer support tickets about security cameras or recording devices had been documented over a decade. [The deposition estimates “about” 35,000 tickets “within the scope of the security camera and recording devices policy.”]

Airbnb told CNN a single complaint can involve multiple tickets.
CNN actually obtained the audio recording of an Airbnb host in Maine admitting to police that he’d photographed a couple having sex using a camera hidden in a clock — and also photographed other couples. And one Airbnb guest told CNN he’d only learned he’d been recorded “because police called him, months later, after another guest found the camera” — with police discovering cameras in every single room in the house, concealed inside smoke detectors. “Part of the challenge is that the technology has gotten so advanced, with these cameras so small that you can’t even see them,” CNN says.

But even though recording someone without consent is illegal in every state, CNN also found that in this case and others, Airbnb “does not contact law enforcement once hidden cameras are discovered — even if children are involved.” Their reporter argues that Airbnb “not only fails to protect its guests — it works to keep complaints out of the courts and away from the public.”

They spoke to two Florida attorneys who said trying to sue Airbnb if something goes wrong is extremely difficult — since its Terms of Service require users to assume every risk themselves. “The person going to rent the property agrees that if something happens while they’re staying at this accommodation, they’re actually prohibited from suing Airbnb,” says one of the attorneys. “They must go a different route, which is a binding arbitration.” (When CNN asked if this was about controlling publicity, the two lawyers answered “absolutely” and “100%”.) And when claims are settled, CNN adds, “Airbnb has required guests to sign confidentiality agreements — which CNN obtained — that keep some details of legal cases private.”

Responding to the story, Airbnb seemed to acknowledge guests have been secretly recorded by hosts, by calling such occurrences “exceptionally rare… When we do receive an allegation, we take appropriate, swift action, which can include removing hosts and listings that violate the policy.

“Airbnb’s trust and safety policies lead the vacation rental industry…”

“On June 6, 2024, an unknown third party impersonated a company employee to compromise their business credentials and gain access to certain business systems,” the company said in a filing. “We detected the incident within 12 hours and immediately launched an internal investigation to terminate the unauthorized access, remediate affected systems and ascertain if any customer data was impacted.” Ars Technica’s Dan Goodin reports: RansomHub, the name of a relatively new ransomware group, has taken credit for the attack, which it said yielded more than 10GB of customer data. RansomHub emerged earlier this year as a rebranded version of a group known as Knight. According to security firm Check Point, RansomHub became the most prevalent ransomware group following an international operation by law enforcement in May that took down much of the infrastructure used by rival ransomware group Lockbit.

On its dark web site, RansomHub said it was in advanced stages of negotiation with Rite Aid officials when the company suddenly cut off communications. A Rite Aid official didn’t respond to questions sent by email. Rite Aid has also declined to say if the employee account compromised in the breach was protected by multifactor authentication.

To perform such a fingerprinting attack and glean what video or a website a user might be watching or visiting, the attacker conducts a series of latency measurements of the victim’s network connection as the content is being downloaded from the server while they are browsing or viewing. It then involves a post-processing phase that employs a convolutional neural network (CNN) trained with traces from an identical network setup to make the inference with an accuracy of up to 98% for videos and 63% for websites. In other words, due to the network bottleneck on the victim’s side, the adversary can deduce the transmitted amount of data by measuring the packet round trip time (RTT). The RTT traces are unique per video and can be used to classify the video watched by the victim. The attack is so named because the attacking server transmits the file at a snail’s pace in order to monitor the connection latency over an extended period of time.