April 4, 2018
Those Facebook videos you thought were deleted were not deleted
By Lisa Vaas
Hang onto your hats for this data-retention non-shocker: Facebook’s retained user data it shouldn’t have.
In this most recent case, the content in question is users’ supposedly deleted videos. Facebook’s blaming a bug for the fact that those videos hung around…
…which users found out when many of them downloaded their Facebook data archive (an advisable step to take on the road to nuking your account) in the wake of the Cambridge Analytica (CA) data-strophe.)
The ZIP file Facebook pulls together contains all the data it has on you: your status updates, your friend list, your messages, plus what New York Magazine’s Madison Malone Kircher last week reported to be “every video you ever filmed on the platform – including videos you never published.”
Kircher and the many other Facebook users around the world who discovered the undead videos aren’t the only ones to have come across surprising things in their data archives.
Also last week, many were shocked to discover, when they peeked into their archives, that Facebook had been logging call and text data since they downloaded the Facebook app for Android.
(They shouldn’t have surprised, given that it was done with their permission. But it’s one thing to tick off “Yes do that” and quite another to suddenly come face to face with logs of your every call and your every text.)
Kircher said that last week that her sister Bailey downloaded her archive. Bailey found what you’d expect: contact lists, relationship statuses. What she didn’t expect: multiple videos of herself, playing a scale on her wooden flute, taken as she tried to get a good version to post on a friend’s page.
She filmed quite a few videos, apparently. Here’s one clip New York Magazine posted to YouTube. In it, Bailey, perhaps exaggerating but most definitely exasperated as she sighed and reached for the stop recording button, said it was “Take 13.”
It wasn’t just Bailey: Kircher found clips that looked like they’d never been posted but which Facebook saved anyway. She says the difference is obvious, given the lack of comments on draft videos.
One of her co-workers found over 100 videos in her archive, only a third of which she says she ever publicly posted. Others? They include videos “of me just checking my teeth,” said Kircher’s colleague, Brittany Stephanis. Bailey found videos that she had taken with Facebook’s desktop camera, of musical rehearsals and cheerleading, which she reviewed and then, as far as she knew, erased.
Read more at https://nakedsecurity.sophos.com/2018/04/04/those-facebook-videos-you-thought-were-deleted-were-not-deleted/
Panera Bread customer records exposed via leaky database – dough!
By Paul Ducklin
There’s a war of words going on at the moment between veteran cybercrime reporter Brian Krebs and US bakery chain Panera Bread.
Krebs recently wrote about a data leakage problem on Panera’s website, whereby crooks could supposedly tease out personal information about Panera customers, without logging in themselves, by directly searching for likely terms in Panera’s online database.
For example, if you knew someone’s phone number, you could put in a search request and retrieve information that Panera happened to hold against that phone number.
In Krebs’s article, he gave an example where searching for a single company phone number retrieved data on numerous users, including username, email address and the last four credit card digits – presumably because multiple staff at a company located near one of Panera’s outlets had asked for deliveries to their place of work.
Worse still, attackers could apparently search by account ID, a numeric identifier that Krebs says may simply be incremented by one for each new user.
In other words, if you had a Panera account yourself and knew that your numeric ID was, say, 31337, then trying 31338, 31339 and so on might allow you to recover at least some personal information about other customers who first transacted at around the same time you did.
Of course, by trying thousands or hundreds of thousands of IDs in sequence you might, in theory at least, suck down data about hundreds or thousands of other active users.
Read more at https://nakedsecurity.sophos.com/2018/04/03/panera-bread-customer-records-exposed-via-leaky-database-dough/
5 million credit cards exposed in Saks and Lord & Taylor data breach
By Paul Ducklin
A holiday weekend without a big data breach story!
Imagine that!
In your dreams, sadly – because in real life, the mainstream media in North America has been full of Easter news about a large-scale exposure of credit card data from Saks Fifth Avenue and other brands operated by Canadian retail giant Hudson’s Bay Company, or HBC for short.
A Dark Web monitoring company called Gemini Advisory announced the breach on 01 April 2018 (it wasn’t a joke) on Twitter.
Gemini Advisory itself is a bit of a mystery – there’s no address or phone number on the company’s website, and the Contact Us process is one of those mysterious web forms where you hand over your contact details and submit your query into the ether by clicking a [Send Message] button.
According to the company, it is:
Deeply embedded in the hacking underground, [where] our multilingual experts, who have years of experience consulting Fortune 100 companies, and federal law enforcement agencies, successfully conduct covert operations and provide ongoing support of cyber defense, threat intelligence, and fraud prevention teams.
Gemini Advisory’s claim in this data breach case is a bullish one, apparently based on an advert in an underground forum published by a crook going by the handle of JokerStash:
On March 28, 2018, a JokerStash hacking syndicate announced the release for sale of over five million stolen credit and debit cards. In co-operation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores. We estimate the window of compromise to be May 2017 to present. Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations. As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.
The breach was apparently dubbed BIGBADABOOM-2 (it’s not just bugs that have catchy names these days), and claimed to offer TR2+TR1 dumps of cards from dozens of different countries.
Read more at https://nakedsecurity.sophos.com/2018/04/03/5-million-credit-cards-exposed-in-saks-and-lord-taylor-data-breach/
YouTube prankster sued by In-N-Out Burger
By Lisa Vaas
California burger chain In-N-Out Burger is not amused by YouTube prankster Cody Roeder, whose antics have included pretending to be the company’s CEO and telling a customer that their meal was “contaminated” and “garbage.”
Roeder films pranks for his YouTube channel, Troll Munchies. You can see his prior pranks on that channel – the picking up girls/embarrassing Mom prank, “hilarious fart vape pen” and the like – but the In-N-Out videos posted two weeks ago have since been made private, according to the BBC.
That’s likely because it’s gotten Roeder in a bit of a legal pickle. In-N-Out last week sought a restraining order against the prankster and his film crew. It also filed a lawsuit that claims that Roeder’s two recent pranks caused “significant and irreparable” harm to the chain. The suit seeks damages of more than $25,000.
CBS Los Angeles, which featured some footage taken of Roeder’s pranks in its own news coverage, says that early last month, Roeder put on a dark suit, walked into an In-N-Out in Van Nuys, and claimed to be their CEO.
“Hey, I’m your new CEO,” he said. “Just doing a little surprise visit.”
Read more at https://nakedsecurity.sophos.com/2018/04/03/youtube-prankster-sued-by-in-n-out-burger/