Security

Vision Direct reveals breach that skimmed customer credit cards

European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information. Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. It’s not yet clear how many of Vision Direct’s customers are affected — we’ve reached out to the company with questions. Detailing the data theft in a post on its website Vision Direct writes that customer data was compromised between 12.11am GMT November 3, 2018 and 12.52pm GMT November 8 — with any logged in users who were ordering or updating their information on visionDirect.co.uk in that time window potentially being affected. It says ...

BlackBerry is buying Cylance for $1.4 billion to continue its push into cybersecurity

BlackBerry was best known for keyboard-totting smartphones, but their demise in recent years has seen the Canadia firm pivot towards enterprise services and in particular cybersecurity. That strategy takes a big step further forward today after BlackBerry announced the acquisition of AI-based cybersecurity company Cylance for a cool $1.4 billion. Business Insider reported that a deal was close last week, and that has proven true with BlackBerry paying the full amount in cash up front. The acquisition is BlackBerry’s largest ever and it is set to close before February 2019 — the end of BlackBerry’s current financial year — and it will see Cylance operate as a separate business unit within BlackBerry’s business. The company plans to integrate Cylance technology with its Spark platform in the...

A leaky database of SMS text messages exposed password resets and two-factor codes

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more. The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages. For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find. Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the ...

Meet the Magecart hackers, a persistent credit card skimmer group of groups you’ve never heard of

There have been few hacker groups that have been responsible for as many headlines this year as Magecart. You might not know the name, but you probably haven’t missed their work — highly targeted credit card skimming attacks, hitting Ticketmaster and British Airways, as well as consumer electronics giant Newegg and likely many more sites that have been silently hacked to scrape consumer credit card data at the checkout. Nobody knows those attacks better than Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who’s been tracking Magecart for more than a year. In a new report published with risk intelligence firm Flashpoint, Klijnsma has exposed the inner workings of the hackers — a group of groups, rather than a single entity — all with different modus operandi and targets, whi...

Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms

Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans. The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that found that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems. CMS didn’t say how the attackers gained access to the accounts, but said it shut off the affected accounts “immediately.” In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data — including partial Social Security numbers, immigration status and some tax informat...

Hours before U.S. election day, Facebook pulls dozens of accounts for ‘coordinated inauthentic behavior’

Facebook has pulled the plug on 30 accounts and 85 Instagram accounts that the company says were engaged in “coordinated inauthentic behavior.” Facebook’s head of cybersecurity policy Nathaniel Gleicher revealed the latest batch of findings in a late-night blog post Monday. “On Sunday evening, U.S. law enforcement contacted us about online activity that they recently discovered and which they believe may be linked to foreign entities,” said Gleicher, without naming the law enforcement agency. “We immediately blocked these accounts and are now investigating them in more detail.” The company didn’t have much more to share, only that the Facebook Pages associated with the accounts “appear to be in the French or Russian languages, while the Instagram accounts seem to have mostly been in Englis...

A Swedish ISP has blocked Elsevier’s website in protest for forcing it to block Sci-Hub

Bahnhof’s page blocking access to Sci-Hub. (Screenshot: TechCrunch) A little known fact about Swedes: when they get angry, they will often scribble down a note on paper — sometimes anonymously — and leave it where it will be seen, rather than confront a person face-to-face. One extremely angry Swedish pro-freedom internet provider took that passive aggression to a whole new level. On Thursday, Stockholm-based Bahnhof was ordered by a Swedish copyright court to block Sci-Hub, a pirate site dedicated to free access to academic papers and research. The site, operated by a Kazakh student Alexandra Elbakyan, has faced court orders and threats of site blocks across Europe, following lawsuits from academic publishers like Elsevier, which brought the most recent case. Bahnhof was forced to block 2...

Twitter removes thousands of accounts that tried to dissuade Democrats from voting

Twitter has deleted thousands of automated accounts posting messages that tried to discourage and dissuade voters from casting their ballot in the upcoming election next week. Some 10,000 accounts were removed across late September and early October after they were first flagged by staff at the Democratic Party, the company has confirmed. “We removed a series of accounts for engaging in attempts to share disinformation in an automated fashion – a violation of our policies,” said a Twitter spokesperson in an email to TechCrunch. “We stopped this quickly and at its source.” But the company did not provide examples of the kinds of accounts it removed, or say who or what might have been behind the activity. The accounts posed as Democrats and try to convince key demographics to stay at home an...

Only half of the Fortune 500 use DMARC for email security

When Homeland Security told all federal government departments last year to roll out a new email security policy to cut down on incoming spam and phishing emails, three-quarters of all federal domains were compliant by the time of their deadline just a few weeks ago. That’s far more than what the Fortune 500 accomplished in the same period. New data from Agari shows that just half of the Fortune 500 have deployed DMARC — or domain-based message authentication, reporting, and conformance policy. Email systems use DMARC policies to verify the identity of an email sender, ensuring that it’s not impersonating another domain. Depending on the DMARC settings, an email system can either monitor, quarantine or entirely reject spoofed emails, helping to cut down on the number of phishing emails tha...

The largest software acquisition ever: IBM to buy Red Hat for $34B

At a price typically reserved for semiconductor companies, telecoms, and pharmaceutical giants, IBM announced today it would pay a record $34 billion in cash and debt to acquire enterprise open source provider Red Hat. Eclipsing Microsoft’s $26.2 billion acquisition of LinkedIn, this is the biggest software acquisition in history. It’s not the biggest tech acquisition ever, though, as that title belongs to Dell’s $67 billion buyout of data storage business EMC. You can learn about what IBM is buying Red Hat to become a hybrid cloud company in TechCrunch editor Ingrid Lunden’s deep dive here: So how does the IBM-Red Hat deal (if it closes), stack up against the other largest acquisitions of all time? Top Tech Acquisitions $67 billion – Personal computer company Dell buys EMC data storage $3...

Big tech must not reframe digital ethics in its image

Facebook founder Mark Zuckerberg’s visage loomed large over the European parliament this week, both literally and figuratively, as global privacy regulators gathered in Brussels to interrogate the human impacts of technologies that derive their power and persuasiveness from our data. The eponymous social network has been at the center of a privacy storm this year. And every fresh Facebook content concern — be it about discrimination or hate speech or cultural insensitivity — adds to a damaging flood. The overarching discussion topic at the privacy and data protection confab, both in the public sessions and behind closed doors, was ethics: How to ensure engineers, technologists and companies operate with a sense of civic duty and build products that serve the good of humanity. So, in other ...

Texas has a long history of problems with Hart eSlate voting machines

During early voting in some Texas counties, a handful of voters reported seeing their straight-ticket votes changed to endorse the opposing party. Others reported that an issue with the voting machines appeared to remove any selection for U.S. Senate altogether. The Texas Secretary of State’s office told TechCrunch that it has received “15-20 calls” from voters this week who reported being affected by the issue. All of those individuals caught the mistake and were able to correct their ballots before casting them, though that does not account for unreported instances in which voters did not notice the changed votes. In Texas, the Secretary of State serves as the chief elections officer. 🚨 ALERT: We have received multiple reports from voters who voted straight-ticket, then saw on a ...