Facebook gave certain companies special access to customer data

By John E Dunn

What do Russian internet company Mail.ru, car maker Nissan, music service Spotify, and sports company Nike have in common? They, and 57 other companies, were revealed by Facebook in a US House of Representatives’ Energy and Commerce Committee submission to have been given temporary extensions to access private Friends data API despite the company supposedly changing the policy allowing this in May 2015.

This is news because it shouldn’t have been possible. As Facebook explains the policy, first communicated to all companies in April 2014:

We made clear that existing apps would have a year to transition – at which point they would be forced to migrate to the more restricted API and be subject to Facebook’s new review and approval protocols.

It wasn’t a long extension, amounting to six months for all bar one company, accessibility app company Serotek, which was given eight months in total.

Facebook doesn’t make clear why this happened, a frustrating omission in a document that runs to 747 pages of answers to around 2,000 questions sent by US lawmakers following Mark Zuckerberg’s Senate grilling in April.

Read more at https://nakedsecurity.sophos.com/2018/07/03/facebook-gave-certain-companies-special-access-to-customer-data/

Typeform data breach hits thousands of survey accounts

By John E Dunn

Survey company Typeform has admitted suffering a breach caused by attackers downloading a “partial backup” of its customer data.

The Spanish company said it noticed the issue on 27 June, remedying its cause within 30 minutes. The affected data was that collected prior to 3 May, which meant:

Results collected since May 3rd 2018 are therefore safe and not compromised.

As breaches go, this is a slightly complicated one because Typeform’s paying customers are businesses that use its software to conduct customer surveys and quizzes.

Each one of those collects data from possibly tens of thousands of their own customers when they take part, which widens the breach’s scope.

Each affected provider will therefore need to contact these customers independently – a situation that draws parallels with the breach suffered by email marketing provider Epsilon in 2011, which saw dozens of large brands sending out apology emails.

Typeform said affected account holders would be informed by email. The Tasmanian Electoral Commission, British prestige brand Fortnum & Mason, digital bank Monzo, and food maker Birdseye have been among those issuing their own alerts, but this is only a fraction of the company’s business customer base, which runs to thousands.

Read more at https://nakedsecurity.sophos.com/2018/07/03/typeform-data-breach-hits-thousands-of-survey-accounts/

Fake Bitcoin exchange traps drug dealers on the dark web

By John E Dunn

As around 35 alleged drug vendors have found out to their cost, you never know who you’ll meet on the dark web.

In the case of the customers of one money laundering operation, it turned out to be agents working for the US Immigration and Customs Enforcement’s Homeland Security Investigations (HSI).

According to a Department of Justice announcement, the authorities spent a year investigating dozens of individuals using the front, turning the bitcoins they had received for illegal drug sales into dollars.

The core of the operation was the takeover of an established laundering outfit, whose owner police arrested and charged in 2016.

This led to the arrest of more than 35 individuals across numerous US states and the seizure of $3.6 million in currency and gold bars, plus 100 handguns, assault rifles, and a grenade launcher.

Police also recovered a long list of drugs, including Oxycodone, MDMA, cocaine, LSD, marijuana, and a “psychedelic mushroom.” They also seized 2,000 BTC and other cryptocurrencies with a value of $20 million.

Said Derek Benner of the HSI:

In this case, HSI special agents were able to walk amongst those in the cyber underworld to find those vendors who sell highly addictive drugs for a profit.

The HSI release was very much of the “criminals have nowhere to hide” type that is often trumpeted after these sorts of operations:

The veil has been lifted. HSI has infiltrated the Darknet, and together with its law enforcement partners nationwide, it has proven, once again, that every criminal is within arm’s reach of the law.

That’s true, even if arresting 35 people barely scratches what goes on within the confines of the dark web.

Read more at https://nakedsecurity.sophos.com/2018/07/02/fake-bitcoin-exchange-traps-drug-dealers-on-the-dark-web/