Cybersecurity news headlines for 15-31 January

Cybersecurity news headlines for 15-31 January

To continue our January 2019 edition of cybersecurity news headlines, we have four stories to report on: 772,904,991 email addresses exposed in a huge collection of data, Google fined €50 million for violating GDPR, DailyMotion suffers a credential stuffing attack, and Facebook’s data collection practices hit the headlines again.

87GB of emails and passwords exposed

A collection of 773 million unique email addresses and 22 million passwords was found on file hosting service MEGA. The huge data collection was reported by security expert Troy Hunt, who dubbed it Collection #1. It contains 2,692,818,238 rows of email addresses and passwords from many different data breaches. According to Hunt, there are 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses, and 21,222,975 unique passwords in Collection #1. Hunt operates the Have I been pwned (HIBP) website where you can check whether your email has been part of a data breach before, and according to him, around 140 million email addresses are new to HIBP.

The collection of data (87GB) was uploaded onto the file hosting service MEGA, but has since been removed. The data allegedly came from many different sources, so if you’ve been part of some data breach in the past, your data is likely to appear in this collection of data. What that also means is that if you’re in this breach, it’s more than likely that a password(s) you have used in the past has been exposed.

Have I been pwned also allows you to check whether your password has been part of a data breach, but not everyone is comfortable with typing in their passwords on the website. However, if your email address is part of the breach, it is suggested to change important passwords, particularly simple ones or those you have used for multiple accounts. Keep in mind that passwords should be difficult to remember, and it’s best if they do not contain actual words. Furthermore, a password should never be reused, particularly on sensitive accounts, like email, bank and social media. If having many different, difficult to remember passwords is an inconvenience, it’s recommended to use a reliable password manager.

Google hit with a €50 million fine over GDPR violations

French data regulator (CNIL) has fined tech giant Google €50 million over violations of the EU’s data protection laws. This is the first big fine to be issued over GDPR violations since the law came into effect in May 2018. According to CNIL, Google was issued the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”, as well as not sufficiently informing its users about how Google collects data for personalized advertising.

The complaints against Google were filed in May last year by privacy groups “None of Your Business” (noyb) and “La Quadrature du Net” (LQDN), with the first complaint filed the day GDPR came into effect.

The data regulator said that because relevant information was spread across several documents, users were not able to give clear consent to their data being processed.

“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL said in a statement.

Furthermore, CNIL also mentions that the personalize ads option is automatically pre-ticked when new accounts are created, which violates GDPR regulations.

€50 million is currently the biggest fine issued under GDPR. Under the new regulations, the maximum fine is €20 million or 4 percent of global annual revenue, whichever is higher. Had Google been issued the maximum fine, the tech-giant could have been fined almost €4 billion.

DailyMotion credential stuffing attack

Paris-based video-sharing platform DailyMotion is the latest victim of a credential stuffing attack, a type of cyberattack where cybercrooks try to access accounts using usernames and passwords leaked from other websites. According to DailyMotion, the attack started on January 19 and while it was still ongoing when the platform released the notice on the 25^th, it has since been contained.

Potentially impacted users and French Data Protection Authority (CNIL) have been informed about the attack, as is required under Europe’s new data protection laws. Some users’ passwords have also been reset in order to prevent account takeover.

This type of attack has recently affected other services like the HSBC bank and Dunkin’ Donuts, with Reddit being one of the latest victims. The attack involves hackers automatically using combinations of usernames and leaked/easy to-guess passwords to gain access to accounts. Credential stuffing affects users who reuse passwords on multiple accounts or use commonly used passwords like “password”, “qwerty” and so on. If you reuse passwords, it is enough for one service to get hacked and leak your password for hackers to take over your other accounts that have the same password. Passwords you use for sensitive services like bank, email or social media should never be reused. If you have too many different passwords to keep track of, use a reliable password manager. And if you use DailyMotion, it is recommended to change your password.

Yet another data collection scandal involving Facebook

Facebook’s data collection practises have made headlines yet again, and this time it was revealed by TechCrunch that the social media giant pays users (including those who are underage) $20 in exchange for complete access to their phones and personal data via an app Facebook Research. While many people choose to participate in similar marketing research projects in order to get some kind of financial gain, the fact that Facebook targeted minors is causing a lot of controversy.

Dubbed “Facebook Research”, the app invited users aged 13-35 to participate in a marketing research project in exchange for $20 per month. Users were asked to install the app on their phones and let it run in the background while they use their phones as usual. While the app was running, it was collecting all kinds of personal information, including which apps users were using and how they interacted with them, private messages sent on social media apps, emails, and their browsing histories. Facebook also reportedly requested users to screenshot their Amazon order pages. Furthermore, the app asked for root access upon sign-up, which essentially allowed Facebook complete access to the device. Users were paid $20 for every month they allowed Facebook access to their data.

According to TechCrunch, ads advertising the marketing research specifically invited 13-17 years old to participate in a paid social media research study, but did not mention Facebook specifically until users already started the sign-up. Underage participants were requested to get parental consent, which is the stage where users were informed of Facebook’s involvement.

While the app required permission from the user, it is believed that many people who agreed to install the app did not fully realize the extent of what they were agreeing to. Furthermore, many criticize Facebook’s decision to include underage users, even if parental consent was requested, as they’re essentially asking kids to give up their privacy for $20.

After TechCrunch broke the story, Facebook spokesperson confirmed to them that the company was running the program in order to learn about users’ habits. However, while the app is no longer available for iOS (more information in the TechCrunch article we have linked above), it continues to be available for Android users.