Panasonic confirms data breach after hackers access internal network

Japanese tech giant Panasonic has confirmed a data breach after hackers gained access to its internal network.

Panasonic said in a press release dated November 26 that its network was “illegally accessed by a third party” on November 11 and that “some data on a file server had been accessed during the intrusion.” However, when reached, Panasonic spokesperson Dannea DeLisser confirmed that the breach began on June 22 and ended on November 3 — and that the unauthorized access was first detected on November 11.

The Osaka, Japan-based company provided few other details of the breach. In its press release, the company said that in addition to conducting its own investigation, it’s “currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers’ personal information and/or sensitive information related to social infrastructure.”

“After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network,” it added. “Panasonic would like to express its sincerest apologies for any concern or inconvenience resulting from this incident.”

News of this data breach comes less than a year after Panasonic India was hit with a ransomware attack that saw hackers leak 4 gigabytes of data, including financial information and email addresses. It also comes amid a wave of cyberattacks targeting Japanese technology companies. NEC and Mitsubishi Electric both fell victim to hackers last year, and Olympus was recently forced to suspend its European, Middle East and Africa operations after being hit by BlackMatter ransomware.

Updated with comment from Panasonic.

Francisco Partners flips Quest Software to Clearlake Capital in deal reportedly worth $5.4B

Francisco Partners bought Quest Software in 2016 when Dell was selling off some assets to help pay for the massive $67 billion EMC deal. Dell itself had purchased Quest in 2012 for $2.4 billion. Today, the company was on the move again, with Clearlake Capital picking it up this time.

According to The Wall Street Journal, the firm bought Quest for $5.4 billion. Reuters reported in 2016 that Francisco and Elliot Management paid around $2 billion for Quest and another asset, SonicWALL. If all of these figures are accurate, Francisco made a nice little profit off of its 2016 investment and managed to nurture the company to more than double its value. It’s worth noting that the parties have not officially acknowledged the price.

While a private company doesn’t have to reveal its financials, it seems likely that Quest has been doing pretty well since the 2016 transaction. Perhaps even more revealing is that Clearlake has decided to retain CEO Patrick Nichols and his entire management team.

Quest is your classic legacy security vendor. The company was founded in 1987 and has been shuffled between owners, modernizing along the way and managing to continually stay alive and increase in value.

Dipanjan “DJ” Deb, co-founder and CEO at Francisco Partners, is justifiably proud of building Quest into a more valuable property under its stewardship.

“We have a long and successful track record executing divisional carve-out transactions and are grateful to have had the opportunity to work with the Quest team to create value for the company, its customers and its partners,” Deb said in a statement about the deal.

The company has built up a stable of security products, including identity products One Identity and OneLogin. It also offers an endpoint solution and a Microsoft-focused security product, among other products and services. Clearlake certainly liked the broad portfolio and customer base that Quest is bringing to them.

“With a robust portfolio of market-leading software and SaaS solutions alongside a rich history of product innovation, we believe Quest is well-positioned to capitalize on emerging growth trends in identity-centric cybersecurity, data intelligence and IT operations management software markets,” Clearlake’s Prashant Mehrotra and Paul Huber said in a statement.

The deal is expected to close early next year pending standard regulatory approval.

Apple alerts NSO phone hacking victims in Thailand, El Salvador and Uganda

Image Credits: Bryce Durbin / TechCrunch

Apple has sent threat notification alerts to victims of state-sponsored hackers in Thailand, El Salvador and Uganda, just hours after filing a lawsuit against Israeli spyware maker NSO Group.

At least six Thai activists and researchers who have been critical of the government have received the notification, according to Reuters, including Prajak Kongkirati, a political scientist at Bangkok’s Thammasat University, researcher Sarinee Achananuntakul and Thai activist Yingcheep Atchanont of the legal monitoring group iLaw. Citizen Lab, which tracks illegal hacking and surveillance, identified in 2018 a Pegasus spyware operator active within Thailand.

The alerts — which Apple says are designed to inform and assist users who may have been targeted by state-sponsored attackers — were also sent to a number of users in El Salvador. This includes 12 employees from El Faro, an online digital newspaper that has been notoriously critical of the government, as well as two leaders of civil society organizations and two opposition politicians.

Norbert Mao, the president of the Democratic Party in Uganda, also said on Twitter that he had received the threat notification.

The alert from Apple warns: “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID. These attackers are likely targeting you individually because of who you are or what you do. If your device is compromised by a state-sponsored attacker, they may be able to remotely access your sensitive data, communications, or even the camera and microphone. While it’s possible this is a false alarm, please take this warning seriously.”

Apple on Tuesday sued NSO Group to seek a permanent injunction to prevent the spyware maker from using any Apple product. This would make it more difficult for the company to find and exploit vulnerabilities in iPhone software and hack its targets.

“The steps we’re taking today will send a clear message: In a free society it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Apple’s security chief Ivan Krstić. “Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

On legal demands and press freedoms

In August 2020, two FBI agents were standing on my doorstep, unannounced, wanting to ask me questions about a TechCrunch story we had published the year before.

The story was about how a hacker took thousands of documents, including visas and diplomatic passports, from a server at Mexico’s Embassy in Guatemala. The hacker said they had contacted Mexican officials about the vulnerable server but were ignored, and so the hacker tweeted out a link to the embassy’s files. “When I don’t get a reply, then it’s going public,” the hacker told me.

I contacted Mexico’s consulate in New York for comment, as is standard practice when reporting a story. A spokesperson said the Mexican government took the matter “very seriously.” We published our story, and that seemed to be the end of it.

The FBI knock at my door a year later suggested it wasn’t. I declined to speak with the agents and closed the door.

After we published our story the Mexican government requested the help of the U.S. Department of Justice through diplomatic channels to investigate the hack and presumably try to identify the hacker. Because I had contact with the hacker, that must have made me a subject of interest to the Mexican authorities, hence the visit a year on.

A month after the house call, the Mexican government provided the FBI with a list of written questions it wanted us to answer, many of which were already answered in the story. Our response to the DOJ declined to provide anything more than what we had already published.

Legal demands against reporters are not uncommon; some even see it as an occupational hazard of working in the media. Demands often come in the form of a threat, almost always compelling the journalist or news outlet to retract a story, or sometimes even to stop a story before it’s published. Journalists covering cybersecurity — a beat rarely known for its chipper and upbeat headlines — are especially prone to legal threats by companies or governments wanting to avoid embarrassing headlines about their poor security practices.

Take the recent public standoff between Missouri Governor Mike Parson and the St. Louis Post-Dispatch newspaper, which the governor accused of illegal hacking after one of its journalists found thousands of Social Security numbers on the state education department’s website. The journalist verified this with three people whose Social Security numbers were exposed, promptly informed the state of the security lapse and held the story until the data could be taken down.

Parson said the reporting violated the state’s hacking laws and ordered law enforcement and a county prosecutor to investigate the paper, claiming the reporting was “an attempt to embarrass the state.” Legal experts, lawmakers and even members of Parson’s own party derided the governor for his rebuke of the newspaper, which was found to have acted entirely ethically. Parson doubled down in a video paid for by his political action committee, which contained several false claims and called the newspaper “fake news.” Earlier this month, the department apologized for the lapse that ultimately affected more than 620,000 state educators.

Claiming illegality or impropriety is a tactic used more broadly against security researchers, who find and disclose exposed personal information and security flaws before malicious hackers can exploit them. Security researchers, much like independent journalists, often work alone and have no choice but to acquiesce to legal threats, fearing high legal costs of taking a case to court, even if their work is entirely legal and helped to prevent a potentially worse security incident down the line. Not all of them have an experienced and willing media legal team to back their play.

We’ve rebuffed spurious legal demands before, but having federal agents on your doorstep simply for doing your job is certainly a new one for me. There has been no suggestion of wrongdoing, though it’s unsettling not knowing what view Mexico would take if I ever stepped foot on its soil.

But it’s the legal threats and demands that don’t make it to print that can have the most damage. Legal demands inherently have a silencing effect. Sometimes they succeed. Journalism can be risky and the newsrooms don’t always win. Left unchecked, legal threats can have a chilling effect that stifles both security research and journalism by making it legally toxic to work. That means the world is less informed and sometimes less secure.

Apple files lawsuit against NSO Group over Pegasus spyware

Apple has launched a lawsuit against NSO Group, the maker of the nation-state spyware Pegasus, seeking a permanent injunction to prevent the spyware maker from using any Apple product or service.

In a statement, Apple said it’s seeking the injunction to “prevent further abuse and harm to its users.”

Israel-based company NSO Group develops Pegasus, a spyware that gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and precise location. The spyware works by exploiting previously unknown vulnerabilities in iPhone software. Many of those targeted, including journalists, activists, and human rights defenders, received malicious links in text messages, but Pegasus more recently has been able to silently hack iPhones without any user interaction.

Several authoritarian governments are known to use Pegasus, including Bahrain, Saudi Arabia, Rwanda, the United Arab Emirates and Mexico; though, NSO has repeatedly declined to name or confirm its dozens of customers, citing non-disclosure agreements.

Apple’s complaint, filed Tuesday, aims to make it far more difficult for NSO to find and exploit vulnerabilities in iPhone software to hack its targets.

Researchers at Citizen Lab found evidence earlier this year that NSO Group had developed a new exploit able to bypass new protections built into iPhone software, known as BlastDoor, which Apple designed in large part to prevent NSO-style attacks by filtering out malicious payloads that could be used to compromise a device. This so-called zero-click vulnerability — named as such because it doesn’t require the victim to click any links to become infected — was dubbed ForcedEntry by Citizen Lab for its ability to skirt Apple’s BlastDoor’s protections. Apple patched the vulnerability in September after it was found to affect all Apple devices, not just iPhones.

Apple said that NSO uses Apple’s own services to deliver its spyware. By seeking a permanent injunction, Apple wants to ban NSO from using any of its services to launch attacks against those targeted by its government customers.

“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Apple’s security chief Ivan Krstić. “Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Apple said its notifying known victims targeted by the ForcedEntry exploit, and said it notifies victims who it discovers who have been targeted with state-sponsored spyware.

An email to NSO Group’s media email was returned as undelivered.

Apple files lawsuit against NSO Group over Pegasus spyware

Apple has launched a lawsuit against NSO Group, the maker of the nation-state spyware Pegasus, seeking a permanent injunction to prevent the spyware maker from using any Apple product or service.

In a statement, Apple said it’s seeking the injunction to “prevent further abuse and harm to its users.”

Israel-based company NSO Group develops Pegasus, a spyware that gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and precise location. The spyware works by exploiting previously unknown vulnerabilities in iPhone software. Many of those targeted, including journalists, activists, and human rights defenders, received malicious links in text messages, but Pegasus more recently has been able to silently hack iPhones without any user interaction.

Several authoritarian governments are known to use Pegasus, including Bahrain, Saudi Arabia, Rwanda, the United Arab Emirates and Mexico; though, NSO has repeatedly declined to name or confirm its dozens of customers, citing non-disclosure agreements.

Apple’s complaint, filed Tuesday, aims to make it far more difficult for NSO to find and exploit vulnerabilities in iPhone software to hack its targets.

Researchers at Citizen Lab found evidence earlier this year that NSO Group had developed a new exploit able to bypass new protections built into iPhone software, known as BlastDoor, which Apple designed in large part to prevent NSO-style attacks by filtering out malicious payloads that could be used to compromise a device. This so-called zero-click vulnerability — named as such because it doesn’t require the victim to click any links to become infected — was dubbed ForcedEntry by Citizen Lab for its ability to skirt Apple’s BlastDoor’s protections. Apple patched the vulnerability in September after it was found to affect all Apple devices, not just iPhones.

Apple said that NSO uses Apple’s own services to deliver its spyware. By seeking a permanent injunction, Apple wants to ban NSO from using any of its services to launch attacks against those targeted by its government customers.

“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: in a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Apple’s security chief Ivan Krstić. “Our threat intelligence and engineering teams work around the clock to analyze new threats, rapidly patch vulnerabilities, and develop industry-leading new protections in our software and silicon. Apple runs one of the most sophisticated security engineering operations in the world, and we will continue to work tirelessly to protect our users from abusive state-sponsored actors like NSO Group.”

Apple said its notifying known victims targeted by the ForcedEntry exploit, and said it notifies victims who it discovers who have been targeted with state-sponsored spyware.

An email to NSO Group’s media email was returned as undelivered.

Gift Guide: The smart home starter kit

A year ago I accidentally turned my house into a smart home. What started out as an easy (and lazy, let’s be honest) way to switch off the radio in the kitchen without getting up from the couch quickly became an obsession to remotely control and automate as much of my house as possible.

What makes a smart home? In my house the lights, outlets and window blinds can be controlled from my phone, at home or anywhere in the world, but you can extend it to other things, like air conditioners, sprinklers and garage door openers. Or thermostats, speakers, security cameras and just about anything electrical. And by adding smart home tech that can detect temperature, humidity or motion, you can automate your house to turn the light up at sunset, set the sprinklers on when the weather is dry, turn on the air conditioning when it’s warm or alert you if the doors open when you’re not at home.

The novelty of switching your living room lights off and off from your phone might quickly wear off, but it can be reassuring knowing that you can get a sense of what’s going on at home even when you’re not there — or automatically adjust the climate and lighting when you are.

You’re probably thinking, is this guy serious? Why would I want even more of my home connected to the internet? The Internet of Things (IoT) doesn’t have the best reputation historically with security, but modern smart home devices can be certified to the far higher standards set by the Big Tech giants like Apple, Amazon and Google. That said, no technology is ever perfectly secure, though efforts to create a common secure smart home standard is paying off with Matter, a protocol endorsed by some of the biggest tech companies and smart home device makers.

It helps to join a smart home ecosystem that you’re comfortable with. I use a Mac and an iPhone, so Apple’s HomeKit makes the most sense for me. Apple does not collect a ton of data like other smart home ecosystems and is probably a better fit for the privacy minded. For this guide we’ll focus on HomeKit but much will broadly apply if you use another ecosystem. For Android users, Google Home would make more sense, or Amazon Alexa if you’re so inclined. Many modern devices are compatible with other smart home platforms anyway, including newer standards like Thread. But for best results, pick an ecosystem and make sure the add-ons you’re buying are compatible.

If you’re after convenience or routine — or like in my case you just want to tinker — there’s a lot you can do with what you already have but a lot more you can do without breaking the bank.

This article contains links to affiliate partners where available. When you buy through these links, TechCrunch may earn an affiliate commission.  Looking for more ideas? Find our other gift guides here.

First, you need (or may already have) a HomeKit hub

A HomePod mini or Apple TV will work as a hub. Image Credits: Brian Heater/TechCrunch

HomeKit devices rely on a hub to communicate with. It’s through this hub that your other smart home devices connect to the internet, letting you access your devices from your phone in the outside world. Good news if you have an Apple TV or a HomePod (or HomePod mini) since these will serve as your HomeKit hub out of the box and generally don’t require any configuration. If you have more than one of these devices in your home, they can all serve as failover hubs if one becomes unavailable.

Some tech, like Philips Hue or Samsung SmartThings, will require their own separate hub (sometimes called a bridge) before they will appear in your smart home. Hubs often connect directly into the router, so keep available ports and wireless range in mind.

Control your regular devices with smart plugs

Smart plugs can be used to control regular devices with physical power switches. Image Credits: TechCrunch

Smart plugs are a great way of connecting conventional electrical and appliances to your smart home. A smart plug fits between your regular appliance plug and the wall outlet and can be told to switch on and off at your command. It’s worth noting that smart plugs only work with devices and appliances with a physical power switch that stays in place and won’t work with devices with an auto-shutoff switch, like a kettle. (You probably shouldn’t rely on a smart plug for anything mission critical, like medical equipment or big household appliances.)

WeMo Wi-Fi Smart Plugs by Belkin have a small form factor compared to other, bulkier smart plugs and work reliably. There’s also a physical button on the side, in case you want or need to toggle it by hand. Eve Energy plugs are a little more expensive and also come with power management features in the Eve app but no physical button for backup.

Smart bulbs will light your home the way you want it

You may be better off finding smart bulbs that fit your existing fixtures, rather than the most recommended brand. Image Credits: TechCrunch

Just like regular bulbs, smart bulbs come in all shapes, sizes and colors so you’re likely going to need to find a brand that suits your lights and fixtures. You may also need to mix and match brands as you expand your smart home. Most bulbs are dimmable and some offer granular temperature controls to get the warmth of the room right. Nanoleaf also offers bulbs that connect to HomeKit over Wi-Fi. Philips Hue is a popular favorite but requires a separate hub to talk to your Home app. LIFX also has a broad range of bulbs and an accompanying app offering a few more features. Furniture giant IKEA has a diverse range of smart bulbs. A common criticism of smart bulbs is that they often aren’t as bright as regular filament or LED bulbs, so keep that in mind if your home is particularly prone to low light.

Set the mood with smart strip lighting

Strip lighting can be themed, colorful and animated. Image Credits: Zack Whittaker/TechCrunch

Adding color light strips to your smart home can really brighten up a space. Smart light strips are like regular strip lighting for under cabinets and shelves, but they can be controlled from your phone. These adhesive-backed strips contain dozens or hundreds of LEDs that let you customize their color and brightness, and often also their patterns and animations to bring reactive light to your rooms. You’ll need to keep in mind that most will require a power source, more often than not a wall outlet if not USB — many modern television sets should have one spare. We like the Nanoleaf Essentials Lightstrip Starter Kit to start with, or LIFX’s Lightstrip also does a great job; there’s one in my living room.

You can retrofit some of your older tech

Image Credits: SOMA

One of the best things about smart homes is how much you can do with your existing fittings. There are a handful of window blinds and shades made by well-known brands like IKEA (with a separate hub) or baked-in like Lutron’s Serena that are natively compatible with HomeKit. Or if you have existing blinds, there are options to let you retrofit your existing window blinds with a HomeKit-enabled controller.

My house has vertical blinds with a tilt handle you have to rotate to close the blinds and so we rely on Soma, an Estonia-based smart home device maker, which makes a number of blind controllers that fit into existing chains or tilt mechanisms. You hook them up to your blinds, remove the peel from the adhesive on the device, stick the box to the wall and you’re done — no skills required. These controllers run on battery or can be powered through the stick-on solar panel or plugged into an outlet. These controllers connect to HomeKit through a separate Raspberry Pi-like hub, the Soma Connect. While my experience with Soma has been flawless, others at TechCrunch report having troubles with it — consider our reviews here “mixed.”

Blinds are just one area that can be retrofitted to work with HomeKit. Other tech exists to connect garage doors, ceiling fans and even radiators to your smart home, too.

Get automating your home with sensors

Sensors allow you to set up more automations for your smart home. Image Credits: Eve Home

Now you have your lights and blinds hooked up to your Home app, you can start to add sensors to the mix. Sensors can let you automate your home by detecting light, movement, temperature, or if a window or door opens, and then turning on fans when it gets warm or setting the lights only when someone is home at sunset before it gets dark. Some might want to use these for security. They can be useful for power saving by shutting off lights when no motion is detected and adjusting the temperature when the weather changes.

Onvis Motion is a great, cheap, entry-level motion detector that also packs in a thermostat and hygrometer, so you can instantly get the temperature and humidity of the room that it’s in. Weather stations are more expensive but pack in a lot more features. Eve Door & Window are small stick-on battery-powered sensors that can trigger an alert or any other connected HomeKit device when a door or window is opened. And, if you’re after a privacy-friendly camera, Logitech’s Circle View works exclusively on HomeKit’s end-to-end encrypted video and doesn’t rely on a third-party cloud, if that’s a deal breaker for the privacy-minded.

Your Home app is your smart home dashboard

The Home app, which lets you control your HomeKit smart home from anywhere in the world. Image Credits: TechCrunch

One of the benefits to picking one ecosystem and sticking with it: For the most part, the most important features of each device will be aggregated into one app. With HomeKit, that’s the Home app.

Your Home app consolidates your HomeKit-enabled smart home tech in one place and lets you connect your sensors to automate the rest of your home. With window sensors you can turn on all of your lights as soon as you open the door, and you can set your strip lighting to light up a hallway when a sensor detects motion between sunset and sunrise.

The Home app also packs in some automation features, like switching on fans or opening blinds at certain times of the day when you know it’s going to be bright outside or at a time you know you’ll want privacy. Most devices also come with a corresponding app, often with a lot more settings, features and the ability to update the device’s firmware.

And that is your starter HomeKit smart home!

Some things to think about:

  • Wi-Fi network range is critical to a functioning smart home. HomeKit works on the 2.4 GHz wireless connection because it has a longer range than 5 GHz. There’s a good chance your router allows you to use both, but make sure you’re on the right network when setting up your HomeKit devices. Network coverage might be fine in a one-bedroom apartment, but larger homes may require Wi-Fi range extenders or a mesh network.
  • If you have a router that’s set up for self-organizing networking, which lets you move seamlessly between the different Wi-Fi bands, you might want to switch that setting off since it can interfere with your smart home. Some routers may have a dedicated Wi-Fi network for IoT devices built in.
  • Sometimes things will break and it’s not always clear why. Sometimes it’s just a moment of poor connectivity, sometimes in the more frustrating cases you might need to reset your devices. Each device comes with its own scannable QR code for getting set up. Keep these codes safe since you’ll need them if you ever have to reset a device and especially helpful when you can’t easily access or scan your HomeKit devices.
  • You can customize your Home screen and room backgrounds. HomePaper is a simple app that does exactly that, and it’s designed to gradually fade the background so it’s not intrusive or make the device panels difficult to read. Home wallpapers don’t sync across your Apple devices, so you have to manually add wallpapers to each Home app.

Read more:

TechCrunch Gift Guide 2021

EU retail giant Schwarz Group snags security startup XM Cyber for $700 million

Schwarz Group, an EU-based retail company, announced today that it has acquired Israeli security startup XM Cyber for $700 million. It may seem like a strange partnership, as Schwarz is best known as the owners of the Lidl and Kaufland supermarkets, but the company believes that extending into security will ultimately help benefit its retail business.

XM helps customers simulate what an attack could look like to expose flaws and openings in a company’s security posture with the goal of shutting down vulnerabilities before an actually cyber attack happens.

Christian Müller, chief information officer at Schwarz Group says that adding a security piece to the portfolio is essential, especially as more shopping moves online. “Finding and closing security gaps from an attacker’s perspective is a disruptive approach to the way organizations can proactively protect their networks. XM Cyber’s solution builds on our strong IT security to further protect our customers, partners and ourselves as a company,” Müller said in a statement.

Meanwhile XM Cyber CEO and co-founder Noam Erez sees the advantages of being part of a large corporation, even if it lacks a technology focus. “For XM Cyber customers, this means that with the financial backing of Schwarz, we will be able to accelerate product innovation, scale and extend our global reach. For Schwarz customers, with their continued investment in their digital product range, the ability to secure suppliers, consumers and businesses is a key enabler in delivering on the promise of digital transformation,” Erez said.

Perhaps not surprisingly, Schwarz intends to let XM continue to operate as an independent entity under the terms of the deal and all 110 employees will keep their jobs, meaning that existing customers should likely see little change in how things operate.

Perhaps they will get the advantage of XM being part of the larger company as Erez says, so long as the parent company doesn’t make any significant changes behind the scenes, but some customers may also be put off by the company being owned by a non-tech entity. Time will tell on that front.

XM Cyber was founded in 2016 and raised $49 million, according to Crunchbase data. The most recent deal was $17 million Series B in July led by Macquarie Capital.

GoDaddy says data breach exposed over a million user accounts

Web hosting giant GoDaddy has reported a data breach with U.S. financial regulators, and warns that data on 1.2 million customers may have been accessed.

In a filing with the Securities and Exchange Commission, GoDaddy’s chief information security officer Demetrius Comes said the company detected unauthorized access to its systems where it hosts and manages its customers’ WordPress servers. WordPress is a web-based content management system used by millions to set up blogs or websites. GoDaddy lets customers host their own WordPress installs on their servers.

GoDaddy said the unauthorized person used a compromised password to get access to GoDaddy’s systems around September 6. GoDaddy said it discovered the breach last week on November 17. It’s not clear if the compromised password was protected with two-factor authentication.

The filing said that the breach affects 1.2 million active and inactive managed WordPress users, who had their email addresses and customer numbers exposed. GoDaddy said this exposure could put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password created when WordPress was first installed, which could be used to access a customer’s WordPress server, was also exposed.

The company said that active customers had their sFTP credentials (for file transfers), and the usernames and passwords for their WordPress databases, which store all the user’s content, exposed in the breach. In some cases, the customer’s SSL (HTTPS) private key was exposed, which if abused could allow an attacker to impersonate a customer’s website or services.

GoDaddy said it’s reset customer WordPress passwords and private keys, and is in the process of replacing new SSL certificates.

The web host has more than 20 million customers worldwide. A spokesperson for GoDaddy did not immediately comment.

Read more:

US education software company exposed personal data of 1.2M students

SmarterSelect, a U.S-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket.

The data spill, discovered by cybersecurity company UpGuard, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes, and invoices for approximately 1.2 million applications to funding programs, dated from November 2020 to September 21, 2021. SmarterSelect’s website says it has served 1.6 million people to date.

One folder hosted on the public bucket hosted 23,000 spreadsheets and 8,000 ZIP files, according to UpGuard’s analysis. For applicants, these files contained contact information like name, email address, and phone number, as well as much more probing details such as their parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations.

Some files also longer documents such as letters of recommendation and personal essays detailing poverty, physical and sexual abuse, domestic violence, and other personal information, UpGuard said.

Another directory, which contained some 2.79 million files, included even more sensitive data on applicants. This includes student photos where required for application, financial documents such as Free Application for Federal Student Aid (FAFSA) forms that in some cases included full Social Security numbers, proof of COVID-19 vaccinations, and descriptions of hardships.

UpGuard first notified SmarterSelect about the breach on September 15 and then again on September 27. The company acknowledged the warning on September 30, before revoking public access to the bucket on October 5. It’s not known whether any malicious actors accessed the data while it was exposed.

“The contents of the bucket also serve as a reminder of the risks of collecting and retaining sensitive data, particularly for populations like college students,” UpGuard said. “The process of applying to, attending, and securing funding for university education requires young people to provide detailed information about themselves to a complex institutional supply chain.

“Even well-intentioned programs aiming to assist students who have been disadvantaged by circumstances beyond their control — in fact, especially those programs that seek to help those most in need– require a detailed accounting of the facts of one’s life.”

It’s not yet clear whether SmarterSelect has notified those affected by the breach, nor whether it has alerted the relevant state attorney general offices per data breach notification law. TechCrunch asked SmarterSelect for comment but did not immediately hear back.