Microsoft says Clop ransomware gang is behind MOVEit mass-hacks, as first victims come forward

Security researchers have linked a new wave of mass-hacks targeting a popular file transfer tool to the notorious Clop ransomware gang, as the first victims of the attacks begin to come forward.

It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server’s database. Progress Software, which develops the MOVEit software, has already released some patches.

Over the weekend, the first victims of the attacks began to come forward.

Zellis, a U.K.-based human resources software maker and payroll provider, confirmed to TechCrunch that its MOVEit system was compromised, with the incident affecting a “small number” of its corporate customers.

One of those customers is U.K. airline giant British Airways, which told TechCrunch that the breach included the payroll data of all of its U.K.-based employees.

“We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit,” British Airways spokesperson Jason Turnnidge-Betts told TechCrunch. “Zellis provides payroll support services to hundreds of companies in the U.K., of which we are one. We have notified those colleagues whose personal information has been compromised to provide support and advice.”

British Airways didn’t confirm how many employees are affected, but currently has around 35,000 staff worldwide.

The U.K.’s BBC also confirmed it was affected by the incident affecting Zellis. A BBC spokesperson, who declined to provide their name, told TechCrunch: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”

The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens’ personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine “exactly what information was stolen, and how many people have been impacted.”

It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as “Lace Tempest.” This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application.

Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration.

Mandiant isn’t yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are “notable” similarities between a newly created threat cluster it’s calling UNC4857 that has as-of-yet “unknown motivations,” and FIN11, a well-established ransomware group known to operate Clop ransomware. “Ongoing analysis of emerging activity may provide additional insights,” Mandiant said.

Charles Carmakal, chief technology officer at Mandiant, confirmed to TechCrunch last week that the company had “seen evidence of data exfiltration at multiple victims.”

It’s likely many more victims of the MOVEit breach will come to light over the next few days.

Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet.

Microsoft says Clop ransomware gang is behind MOVEit mass-hacks, as first victims come forward by Carly Page originally published on TechCrunch

Google Workspace and Cloud get support for passkeys

A month ago, Google rolled out passkey support to consumer Google accounts. Today, it is extending this to business users, with the open beta launch of passkeys for Google Workspace and Cloud accounts.

Like almost every other major tech company, Google has been waging war against passwords for years. The promise of passkeys is that they are safer than passwords and multifactor authentication because instead of using an authentication code from an app or SMS, passkey users can simply use their phones, desktop or laptops to sign into websites and apps with the same logins they already use for their devices — be that a biometric login or a PIN code. Since users need to have physical access to these devices, it’s also less likely that an adversary will be able to gain access to them accidentally.

Image Credits: Google

Passkeys, like physical security keys, also have the advantage of being resistant to phishing and indeed, the cryptographic protocols underlying the technology aren’t all that different from those of physical security keys.

Google’s own research has shown that using passkeys is twice as fast and four times less error-prone than passwords (no surprise there).

Over the past decade Google has been at the forefront of the battle against phishing and password-related threats, including with our automated defenses powered by Google AI,” write Google Workspace product manager Jeroen Kemperman and Workspace engineering manager Shruti Kulkarni in today’s announcement. “We championed the development of physical security keys and their standardization under the FIDO Alliance. As generally a simpler and more secure alternative to passwords, passkeys represent the culmination of this work to bring phishing-resistant technology to billions of people worldwide.”

As is typical for these Workspace rollouts, Google is rolling this new feature out slowly. Over the course of the next few weeks, admins will get the ability to enable passkeys for their users and skip passwords at sign-in.

Google Workspace and Cloud get support for passkeys by Frederic Lardinois originally published on TechCrunch

Scammers publish ads for hacking services on government websites

Scammers have published various advertisements for hacking services on the official websites of multiple U.S. state, county, and local governments, a federal agency, as well as numerous universities.

The advertisements were contained in PDF files uploaded to official .gov websites belonging to the state governments of California, North Carolina, New Hampshire, Ohio, Washington, and Wyoming; the counties of St. Louis in Minnesota, Franklin County in Ohio, Sussex County in Delaware; the town of Johns Creek in Georgia; and the federal Administration for Community Living.

Scammers also uploaded similar ads on the .edu websites of several universities: UC Berkeley, Stanford, Yale, UC San Diego, University of Virginia, UC San Francisco, University of Colorado Denver, Metropolitan Community College, University of Washington, University of Pennsylvania, University of Texas Southwestern, Jackson State University, Hillsdale College, United Nations University, Lehigh University, Community Colleges of Spokane, Empire State University, Smithsonian Institution, Oregon State University, University of Buckingham in the U.K., and Universidad Del Norte in Colombia.

Apart from .gov and .edu sites, other victims include Spain’s Red Cross; the defense contractor and aerospace manufacturer Rockwell Collins — part of Collins Aerospace and a subsidiary of the defense giant Raytheon; and an Ireland-based tourism company.

The PDFs link to several different websites, some of them advertising services that claim to be able to hack into Instagram, Facebook, and Snapchat accounts; services to cheat in video games; and services to create fake followers.

“BEST way to Hack Insta 2021,” one PDF read. “If you are looking to hack Instagram account (either yours which you got locked out from or your friend), InstaHacker is the right place to look for. We, at InstaHacker, provides our users with easy Instagram hack solutions that are safe and completely free from any malicious intentions [sic throughout].”

Some of the documents have dates that suggest they may have been online for years.

These advertisements were found by John Scott-Railton, a senior researcher at the Citizen Lab. It’s unclear if the sites he found — and we have listed — are a complete list of the sites affected by this massive spam campaign. And given how many websites were displaying very similar advertisements, the same group or individual may be behind them all.

“SEO PDF uploads are like opportunistic infections that flourish when your immune system is suppressed. They show up when you have misconfigured services, unpatched CMS [content management system] bugs, and other security problems,” said Scott-Railton.

While this campaign seems to be complex, massive, and at the same time a seemingly harmless SEO play to promote scam services, malicious hackers could have exploited the same flaws to do much more damage, according to Scott-Railton.

“In this case the PDFs they uploaded just had text pointing to a scam service that might also be malicious as far as we know, but they could very well have uploaded PDFs with malicious contents,” he said. “Or malicious links.”

Zee Zaman, a spokesperson for U.S. cybersecurity agency, CISA said that the agency “is aware of apparent compromises to certain government and university websites to host search engine optimization (SEO) spam. We are coordinating with potentially impacted entities and offering assistance as needed.”

TechCrunch inspected some of the websites advertised in the PDFs, and they appear to be part of a convoluted scheme to generate money through click-fraud. The cybercriminals appear to be using open- source tools to create popups to verify that the visitor is a human, but are actually generating money in the background. A review of the websites’ source code suggests the hacking services as advertised are likely fake, despite at least one of the sites displaying the profile pictures and names of alleged victims.

Several victims told TechCrunch that these incidents are not necessarily signs of a breach, but rather the result of scammers exploiting a flaw in online forms or a content management system (CMS) software, which allowed them to upload the PDFs to their sites.

Representatives for three of the victims — the town of Johns Creek in Georgia, the University of Washington, and Community Colleges of Spokane — all said that the issue was with a content management system called Kentico CMS.

It’s not entirely clear how all of the sites were affected. But representatives of two different victims, the California Department of Fish and Wildlife and University of Buckingham in the U.K., described techniques that appear to be the same, but without mentioning Kentico.

“It appears an external person took advantage of one of our reporting mechanisms to upload PDFs instead of pictures,” David Perez, a cybersecurity specialist at the California Department of Fish and Wildlife told TechCrunch.

The department has several pages where citizens can report sightings of poaching and injured animals, among other issues. The department’s deputy director of communications Jordan Traverso said that there was a misconfigured form in the page to report sick or dead bats, but the site “was not actually compromised” and the issue was resolved and the department removed the documents.

Roger Perkins, a spokesperson for the University of Buckingham, said that “these pages are not the result of hacking but are old ‘bad pages’ resulting from the use of a form — basically they’re spam and are now in the process of being removed […] there was a public-facing form (no longer in existence) that these people took advantage of.”

Tori Pettis, a spokesperson for the Washington Fire Commissioners Association, one of the affected agencies, told TechCrunch that the files have been removed. Pettis said she was not sure whether the issue was with Kentico, and that “the site hasn’t been hacked, however, there was a vulnerability which was previously allowing new members to upload files into their accounts before the profile was completed.”

Jennifer Chapman, senior communications manager at the town of Johns Creek, said that “we worked with our hosting company to remove the PDFs in question and resolve the issue.”

Ann Mosher, public affairs officer for the Administration for Community Living, said the pages “have been taken down.”

Leslie Sepuka, the associate director of university communications at the University of California San Diego, said that “unauthorized PDFs were uploaded to this site. The files have been removed and changes have been made to prevent further unauthorized access. All users with access to the website have also been asked to reset their passwords.”

Victor Balta, spokesperson for the University of Washington, said “the issue appears to have stemmed from an out-of-date and vulnerable plugin module on the website, which allowed for content to be uploaded into a public space.” The spokesperson added that, “there is no indication of any deeper impact or compromise of access or data within the relative system.”

Balta attributed the issue to Kentico.

Thomas Ingle, director of technology services at Community Colleges of Spokane, said that the problem was a Windows Server running Kentico, and that “we had documents uploaded (in this case the PDF you referenced) that other servers that were hijacked were pointing to.”

Janet Gilmore, a spokesperson for UC Berkeley, said:“There was a vulnerability found on this website,” referring to the site where the hacking ads were posted, and that the issue was rectified “to prevent this from happening again in the future.”

The rest of the named organizations did not respond to TechCrunch’s inquiries. Several calls and emails to Kentico Software went unreturned.

The ultimate damage of this spam campaign is and will end up being minimal, but having the ability to upload content to .gov websites would be concerning, not just for the .gov websites in question, but for the whole U.S. government.

It has already happened. In 2020, Iranian hackers broke into a U.S. city’s website with the apparent goal of altering the vote counts. And elections officials have expressed concern for hackers hacking into election-related websites.

Scammers publish ads for hacking services on government websites by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

Hackers launch another wave of mass-hacks targeting company file transfer tools

Security researchers are sounding the alarm after hackers were caught exploiting a newly discovered vulnerability in a popular file transfer tool used by thousands of organizations to launch a new wave of mass data exfiltration attacks.

The vulnerability affects the MOVEit Transfer managed file transfer (MFT) software developed by Ipswitch, a subsidiary of U.S.-based Progress Software, which allows organizations to share large files and data sets over the internet. Progress confirmed on Wednesday that it had discovered a vulnerability in MOVEit Transfer that “could lead to escalated privileges and potential unauthorized access to the environment,” and urged users to disable internet traffic to their MOVEit Transfer environment. 

Patches are available and Progress is urging all customers to apply it urgently.

U.S. cybersecurity agency CISA is also urging U.S. organizations to follow Progress’ mitigation steps, apply the necessary updates, and hunt for any malicious activity.

Corporate file-transfer tools have become an increasingly attractive target for hackers, as finding a vulnerability in a popular enterprise system can allow the theft of data from multiple victims.

Jocelyn VerVelde, a spokesperson for Progress via an outside public relations agency, declined to say how many organizations use the affected file transfer tool, though the company’s website states that the software is used by “thousands of organizations around the world.” Shodan, ​​a search engine for publicly exposed devices and databases, reveals more than 2,500 MOVEit Transfer servers discoverable on the internet, most of which are located in the United States, as well as the U.K., Germany, the Netherlands and Canada. 

The vulnerability also impacts customers who rely on the MOVEit Transfer cloud platform, according to security researcher Kevin Beaumont. At least one exposed instance is connected to the U.S. Department of Homeland Security and several “big banks” are also believed to be MOVEIt customers also be affected, according to Beaumont.

Several security companies say they have already observed evidence of exploitation.

Mandiant said it is investigating “several intrusions” related to the exploitation of the MOVEit vulnerability. Mandiant chief technology officer Charles Carmakal confirmed that Mandiant had “seen evidence of data exfiltration at multiple victims.”

Cybersecurity startup Huntress said in a blog post that one of its customers has seen “a full attack chain and all the matching indicators of compromise.”

Security research firm Rapid7, meanwhile, confirmed it had observed signs of exploitation and data theft from “at least four separate incidents.” Caitlin Condon, senior manager of security research at Rapid7, said that the company has seen evidence that attackers may have begun automating exploitation.

While it’s unclear exactly when exploitation began, threat intelligence startup GreyNoise said it has observed scanning activity as early as March 3 and urges users to review systems for any indicators of unauthorized access that may have occurred within the past 90 days.

It’s not known who is yet responsible for the mass exploitation of MOVEit servers.

Rapid7’s Condon told TechCrunch that the attacker’s behavior appears to be “opportunistic rather than targeted,” adding that this “could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets.”

It’s the latest effort by hackers and extortion groups to target enterprise file transfer systems in recent years.

In January, the Russia-linked Clop ransomware gang claimed responsibility for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software. More than 130 organizations using GoAnywhere were targeted, including Florida-based healthcare company NationBenefits, virtual therapy provider Brightline, and the City of Toronto.

Clop was also behind another widespread attack on another popular file transfer tool in 2021. The gang breached Accellion’s file-sharing tool to launch attacks against a number of organizations, including Morgan Stanley, the University of California, grocery giant Kroger and law firm Jones Day.

Hackers launch another wave of mass-hacks targeting company file transfer tools by Carly Page originally published on TechCrunch

Kaspersky says attackers hacked staff iPhones with unknown malware

The Russian cybersecurity company Kaspersky said that hackers working for a government targeted its employees’ iPhones with unknown malware.

On Monday, Kaspersky announced the alleged cyberattack, and published a technical report analyzing it, where the company admitted its analysis is not yet complete. The company said that the hackers, whom at this point are unknown, delivered the malware with a zero-click exploit via an iMessage attachment, and that all the events happened within a one to three minute timeframe. At this point, it’s unclear if the hackers exploited new vulnerabilities that were unpatched at the time, meaning they were so-called zero-days.

Kaspersky researchers said that they discovered the attack when they noticed “suspicious activity that originated from several iOS-based phones,” while monitoring their own corporate Wi-Fi network.

The company called this alleged hack against its own employees “Operation Triangulation,” and created a logo for it. Neither Kaspersky nor Apple immediately responded to requests for comment.

Kaspersky researchers said they created offline backups of the targeted iPhones and inspected them with a tool developed by Amnesty International called the Mobile Verification Toolkit, or MVT, which allowed them to discover “traces of compromise.” The researchers did not say when they discovered the attack, and said that they found traces of it going as far back as 2019, and that “attack is ongoing, and the most recent version of the devices successfully targeted is iOS 15.7.”

While the malware was designed to clean up the infected devices and remove traces of itself, “it is possible to reliably identify if the device was compromised,” the researchers wrote.

In the report, the researchers explained step by step how they analyzed the compromised devices, outlining how others can do the same. They did not, however, include many details of what they found using this process.

The researchers said that the presence of “data usage lines mentioning the process named ‘BackupAgent’,” was the most reliable sign that an iPhone was hacked, and that another one of the signs was that compromised iPhones could not install iOS updates.

“We observed update attempts to end with an error message “Software Update Failed. An error occurred downloading iOS,” the researchers wrote.

The company also published a series of URLs that were used in the operation, including some with names such as Unlimited Teacup and Backup Rabbit.

The Russian Computer Emergency Response Team (CERT), a government organization that shares information on cyberattacks, published an advisory on the cyberattack, along with the same domains mentioned by Kaspersky.

In a separate statement, Russia’s Federal Security Service (FSB) accused U.S. intelligence of hacking “thousands” of Apple phones with the goal of spying on Russian diplomats, according to an online translation. The FSB did not provide evidence for its claims.

The FSB’s description of the attacks echoes what Kaspersky wrote in its report, but it’s unclear if the two operations are connected.

This is not the first time hackers target Kaspersky. In 2015 the company announced that a nation-state hacking group, using malware believed to be developed by Israeli spies, had hacked its network.

Do you have more information about these cyberattacks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email You can also contact TechCrunch via SecureDrop.

Kaspersky says attackers hacked staff iPhones with unknown malware by Lorenzo Franceschi-Bicchierai originally published on TechCrunch

Google’s Parisa Tabriz to discuss keeping a billion users safe and more on Disrupt’s Security Stage

We can’t say with scientific certainty, but security could be a leading cause of early-stage startup founder insomnia. Locking down your company, product and customer security against constantly evolving threats is an essential, if daunting task. No matter where you fall on the startup journey, you’ll benefit from expert guidance.

We’re excited to announce that Parisa Tabriz, vice president and general manager of Chrome and self-proclaimed Google “security princess,” will provide an abundance of such guidance during a fireside interview on the Security Stage at TechCrunch Disrupt 2023, which takes place on September 19–21.

As Google security princess, Tabriz — whose realm consists of billions of Chrome users around the world — leads Google’s information security engineering team. She’s responsible for Chrome web browser security and also Project Zero, the company’s elite group of security researchers who find security vulnerabilities. It’s through this work that Tabriz helps to ensure that the company’s products (and software) are secure when they ship.

Topics on the table include the gargantuan effort required to secure Chrome, and we’ll explore what startup founders need to know to play the long game with product security. Simply put, your company needs to be secure when you’re ready to scale.

We’re eager to hear what Tabriz sees as the biggest challenges in product security today. We’ll also ask what responsibilities a company takes on when building out its flagship products. Whether protecting user data, preventing supply chain attacks or defending against nation-state threats — like advanced persistent threat (APT) groups or governments — what do companies need to know?

Parisa Tabriz is a technology leader and cybersecurity expert, currently responsible for engineering, product and design of Google Chrome. Tabriz has worked on product development and information security at Google for over a decade, starting as a “hired hacker” software engineer for Google’s security team.

Tabriz has consulted with the White House’s U.S. Digital Service to enhance security of government technology, and she works with entertainment writers to help them understand the world of technology so they can create and depict more accurate, diverse stories.

Hear more conversations with leading experts on the Security Stage, which features topics like data protection, privacy regulations, information sharing, risk management and more. It’s just one of the six new stages for six breakthrough sectors at Disrupt.

Is your company interested in sponsoring or exhibiting at TechCrunch Disrupt 2023? Contact our sponsorship sales team by filling out this form.

Google’s Parisa Tabriz to discuss keeping a billion users safe and more on Disrupt’s Security Stage by Lauren Simonds originally published on TechCrunch

Enzo Biochem says ransomware attack exposed clinical test data of 2.5 million patients

Enzo Biochem, a New York-based biotechnology company, has confirmed that a ransomware attack exposed the clinical test information of almost 2.5 million patients.

Enzo, which manufactures and sells DNA-based tests to detect viral and bacterial diseases including COVID-19 and cancer, confirmed in an SEC filing this week that it experienced a ransomware attack on April 6. While it was able to remain operational by disconnecting its systems from the internet, Enzo said it discovered on April 11 that hackers were able to access and exfiltrate sensitive data from the company’s systems.

This includes clinical test information of 2,470,000 individuals and approximately 600,000 Social Security numbers, according to Enzo. The company added that it continues to investigate whether its employees’ information may have also been accessed.

“The Company remains subject to risks and uncertainties as a result of the incident, including as a result of the data that was accessed or exfiltrated from the Company’s network,” Enzo CEO Hamid Erfanian said in the SEC filing. “Additionally, security and privacy incidents have led to, and may continue to lead to, additional regulatory scrutiny. The Company is in the process of evaluating the full scope of the costs and related impacts of this incident.”

Enzo did not reveal how it was compromised or whether it received a ransom demand from the hacking group responsible, and company spokesperson Lynn Granito did not return TechCrunch’s request for comment. At the time of writing, it doesn’t appear any well-known ransomware group has claimed responsibility for the attack.

Enzo Biochem is the latest in a long line of medical companies to experience a breach of sensitive data in recent months. PharMerica, one of the largest pharmacy service providers in the United States, confirmed in May that hackers had stolen the personal data of 5.8 million current and deceased individuals, including Social Security numbers and medication and health insurance information.

Earlier this week, Managed Care of North America (MCNA) Dental — one of America’s largest dental health insurers — confirmed that the personal information of almost nine million individuals had been compromised following a ransomware attack on its systems.

Enzo Biochem says ransomware attack exposed clinical test data of 2.5 million patients by Carly Page originally published on TechCrunch

Legal tech firm Casepoint investigates breach after hackers claim theft of government data

Casepoint says it’s investigating a potential cybersecurity incident after hackers claimed to have compromised the legal technology platform to steal terabytes of sensitive data.

U.S.-based Casepoint offers a legal discovery platform for litigation, investigations and compliance that is used by government agencies, corporations and law firms. The organization boasts a number of high-profile clients, including the U.S. Courts, the Securities and Exchange Commission (SEC), the U.S. Department of Defense (DoD), hotel operator Marriott, and medical giant Mayo Clinic.

In a statement to TechCrunch, Casepoint co-founder and chief technology officer Vishal Rajpara confirmed the company had “activated our incident response protocols” on March 30 and “engaged an external forensic firm to help us investigate a potential incident”.

While Rajpara declined to confirm the nature of the incident, he didn’t dispute claims that Casepoint was targeted by the ALPHV ransomware gang, which this week claimed responsibility for attacking the organization by listing its stolen data on its dark web leak site. The Russia-linked gang, also known as BlackCat, claims to have stolen two terabytes of sensitive information from Casepoint, including data from the U.S. government, and “many other things you have tried so hard to keep,” the gang said.

Samples of the exfiltrated data, seen by TechCrunch, include sensitive health information from a Georgia-based hospital, a legal document, a government-issued ID, and an internal document allegedly issued by the FBI. The FBI did not respond to TechCrunch’s request for comment.

In an update published on March 31 — after Casepoint confirmed it was investigating the incident — ALPHV also shared what appears to be login details for the company’s internal systems.

Rajpara told TechCrunch that Casepoint remains “fully operational and have experienced no disruption to our services,” adding that “the third party forensic firm that we have engaged is currently running scans and deploying advanced endpoint detection monitoring tools and will be looking for signs of suspicious activity.”

“We are early on in our investigation and are committed to keeping our clients informed as we learn more,” Rajpara said.

Rajpara declined to say whether the company has the technical means to detect what data was accessed or exfiltrated or whether the company has received any communication, such as a ransom demand, from the ALPV ransomware group.

The ALPHV gang previously claimed to have targeted the Amazon-owned video surveillance company Ring, and NextGen Healthcare, a U.S.-based electronic health record software provider. ALPHV’s leak site was also used to host data stolen from Western Digital, though the hackers responsible claimed they were not affiliated with the gang.

Other ALPHV victims include Bandai Namco, Swissport and the Munster Technological University in Ireland.

Legal tech firm Casepoint investigates breach after hackers claim theft of government data by Carly Page originally published on TechCrunch

Amazon’s Ring to pay $5.8M after staff and contractors caught snooping on customer videos, FTC says

Ring, the Amazon-owned maker of video surveillance devices, will pay $5.8 million over claims brought by the Federal Trade Commission that Ring employees and contractors had broad and unrestricted access to customers’ videos for years.

The settlement was filed in the U.S. District Court for the District of Columbia on Wednesday. The FTC confirmed the settlement a short time later. News of the settlement was first reported by Reuters.

The FTC said that Ring employees and contractors were able to view, download, and transfer customers’ sensitive video data for their own purposes as a result of “dangerously overbroad access and lax attitude toward privacy and security.”

According to the FTC’s complaint, Ring gave “every employee — as well as hundreds of Ukraine-based third-party contractors — full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function.” The FTC also said that Ring staff and contractors “could also readily download any customer’s videos and then view, share, or disclose those videos at will.”

The FTC alleged on at least two occasions Ring employees improperly accessed the private Ring videos of women. In one of the cases, the FTC said the employee’s spying went on for months, undetected by Ring.

According to a draft notice of the notification Ring plans to send affected customers, the individuals are no longer employed by Ring.

The government’s complaint also said that Ring failed to respond to multiple reports of credential stuffing — where hackers use stolen user credentials from one data breach to break into the accounts using the same credentials on other sites. The FTC said Ring allowed the use of easily guessable passwords — as simple as “password” and “12345678” — which made brute-forcing accounts easier, and that Ring failed to act sooner to prevent account hacks.

The FTC claims more than 55,000 U.S. customers had their accounts compromised between January 2019 and March 2020 as a result. In more than a dozen cases, hackers maintained access to hacked accounts for more than a month.

Ring subsequently made two-factor authentication mandatory for users in February 2020. Ring introduced end-to-end encryption in 2021, allowing users to encrypt their doorbell videos from anyone other than themselves — including Ring.

Along with paying $5.8 million to settle the FTC’s allegations, Ring also agreed to establish and maintain a data security program with regular assessments for the next 20 years, as well as disclosing what access its employees and contractors have to customer data.

Ring spokesperson Emma Daniels said in an emailed statement to TechCrunch that Ring disagreed with the FTC’s allegations and denied violating the law.

Amazon’s Ring to pay $5.8M after staff and contractors caught snooping on customer videos, FTC says by Zack Whittaker originally published on TechCrunch

Toyota confirms another years-long data leak, this time exposing at least 260,000 car owners

Two weeks ago, Toyota said it exposed the data of more than two million customers to the internet for a decade. Today, the automotive giant said it recently discovered the data of another 260,000 car owners spilling from its systems.

Toyota said in a statement that it identified another batch of exposed data that was “potentially accessible externally due to a misconfiguration” of its connected cloud service, which allows Toyota customers to get internet services in their vehicles, such as information about their vehicle, in-car entertainment and assistance in the event of a car accident or breakdown.

The carmaker said it learned of the misconfiguration after conducting a wider investigation of its cloud environments after admitting earlier this month that customer data was accessible by anyone from the wider internet.

Toyota said the newly discovered exposed data includes in-vehicle device identifiers and mapping data that’s displayed on the car navigation system of customers in Japan but that the information alone does not contain location information and cannot reveal or identify customers. Toyota customers may be affected if they bought a vehicle as far back as December 2007, and their data was exposed between February 2015 and May 2023.

The carmaker said it would notify with a separate apology customers whose information was exposed.

Toyota also confirmed that an unknown number of customers outside of Japan, specifically in Asia and Oceania, had personal information exposed between October 2016 and May 2023. While the data varies by customer, Toyota said the exposed data may include customer names, postal and email addresses, a Toyota-issued customer identifying number and the vehicle’s registration and identifying numbers. The company said it would notify customers in accordance with local laws.

The company said it has no evidence that the data was accessed or copied, though Toyota did not say what logging, if any, it has to determine if data was exfiltrated from its systems.

TechCrunch has contacted Toyota for more details, but has not yet received a response.

Toyota confirms another years-long data leak, this time exposing at least 260,000 car owners by Zack Whittaker originally published on TechCrunch