Security Breaches

Follow Marin Events

• HomeUpFight a Foreclosure in CourtMarin Rents are the Highest in the USCut Child Poverty by HalfNeeded Gun Reform & Questions about guns in the United StatesTam School District to spend $450millionSave Santa Venetia from fireUSPS Petaluma replaced by OaklandWHAT ARE SPECIAL DISTRICTS2016 Election MeasuresABAG MTC Stifle DissentMarin's Law Suit against Fossil Fuel Corps.AB 2406 Junior Dwelling Unitsis a Marin Charter School being favored?Marijuana in MarinCut the Cord or just cut ComcastReverse MortgageNoisey NeighborSecurity BreachesSome ECLECTIC Shopping CatalogsMarin Bike Count - $28 Million WastedJohn Muir Transcription ProjectTRUE GOPHER STORYHigh Sierra LakesMill Valley Tree Fire Ordinance •
•  •

Why you should keep your debit card at home http://www.washingtonpost.com/blogs/wonkblog/wp/2014/02/06/heres-why-you-should-keep-your-debit-card-at-home 

Mathias Karlsson, an IT security researcher recently breached the security of popular password managers LastPass and reported the issue to the firm..  LastPass who fixed the flaw immediately and paid him $1000. In another case, Tavis Ormandy, a Google Security Team researcher exposed a message-hijacking bug that affected the LastPass Firefox addon.

2005 TJ Maxx, Marshalls 45 million credit cards
2009 Heartland Payment Systems 160 million
2011 SONY 100 million
2012 LinkedIn -- hundreds of millions of passwords
2013 160 million - JC Penney, 7-Eleven, Nasdaq, Dow Jones, JetBlue
2013 Global Payments 1.5 million
2013 JPMorgan Chase 465,000 http://www.zdnet.com/jpmorgan-chase-admits-network-hack-465000-card-users-data-stolen-7000023974/
2013 MySpace 360 million accounts
2013 Adobe 150 million,
2013 Target 40 million
2014 Michaels, SuperValu, Neiman Marcus and Sally Beauty
2014 Home Depot 56 million customer debit and credit cards,
2014 JPMorgan Chase compromised more than 76 million accounts. http://nyti.ms/YWHuf7  —via The New York Times
2014 Supervalu Inc. (SVU) and AB Acquisition LLC, the operator of the Albertsons supermarket chain.
2014 Sears Holdings Corp. (SHLD)’s Kmart -- Customer payment-card information was probably exposed
2014 Staples 1 million Credit Cards cardholder names, card numbers, expiration date, and verification codes. At 113 stores.
2014 YAHOO 500 million names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers. Did not include unprotected passwords  (Yet Yahoo is asking users to change passwords, and recommending anyone who hasn't done so since 2014) . Did not include information associated with payments or bank accounts. Yahoo waits till September 22 2016 to tell users to change their passwords!
2015 BlueCross, BlueShield  1.1 million names, birth dates, email addresses and subscriber information
2015 (discovered) Dec2013 - Apr2014, $1 billion cyberheist, 100 banks worldwide. Made fraudulent transfers and hijacked ATMs appear legitimate.
2015 Premera BlueCross BlueShield January 11.2 million subscribers - names, birth dates, Social Security numbers, bank account info, addresses & other info.
2015 password management company LastPass, email addresses, password reminders, user salts and authentication hashes.
2015 Army National Guard, Social Security numbers, home addresses and personal info of 850,000 National Guard members.
2015 Health Insurer Anthem 80 million patient and employee records. names, dob, SSNs, ID numbers, home addresses, email addresses, employment information, income data and more.....
2015 Government Office of Personnel Management, one of the biggest cyberattacks in history. 21.5 mil federal workers.
2015 Experian 15 million T-Mobile Customers Names, addresses, Social Security numbers, birthdates and driver's license numbers
2016 WENDYS Credit Cards in 1,025+ of its restaurants. A "service provider" had remote access to tills - Malware had been installed.
2016 AdultFriendFinder, Cams.com, Penthouse, Stripshow, and iCams.com -- 400 million usernames, emails, and passwords
2016 57 million Uber users around the world,  names, email addresses and mobile phone numbers,  driver’s license numbers of around 600,000 drivers in the US. (disclosed Nov 2017)
2017 Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients, and it’s possible that personal data such as passwords and cookies leaked
2017 Equifax - 143 million American's — Social Security numbers, birth dates and home addresses --disclosed Feb 2018: tax identification numbers, email addresses and drivers’ license information beyond the license numbers,
CONSUMER TIPS AND FAQ ABOUT THE EQUIFAX BREACH
2018 ORBITZ purchases made by 880,00 customers in 2016 and most of 2017 - names, addresses, phone numbers, and email addresses, as well as other personal information.
2018 Under Armour 150 million MyFitnessPal app accounts (earlier this year). usernames and email addresses
2018, Apr SAKS, Lord & Taylor 5 MILLION  debit and credit cards used in stores ( not online) over one million of these cards have been sold already on the DARK WEB (Apr 2nd). 
2019 Capital One  its data was encrypted, the attacker was able to decrypt it. (100 million people in the US, and 6 million in Canada): 2005-2019 names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income,". 140,000 customers had their Social Security numbers stolen, and about 80,000 had their bank account numbers swiped.
Total of 23 days during 2016, 2017 and 2018: credit scores, credit limits, balances, payment history, contact information; fragments of transactions.
2019  7.9 billion, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed Wyze, Wawa, Facebook, LifeLabs, OnePlus, T-Mobile, Unknown, UniCredit, 7-Eleven, Web.com, Malindo Air, Novaestrat, Get, Hostinger, Suprema, CafePress, Poshmark, Capital One, QuickBit, Bulgaria, LA County, Maryland, NASA, Emuparadise, Labcorp, Quest Diag, Checkers Restaurants, Flipboard, Canva, First American, Chtrbox, Freedom Mobile, AMC Networks, Atlanta Hawks, Bodybuilding.com, Georgia Tech, Verificaions.io, Earl Enterprises, Federal Emergency Management Agency, Oregon, Gearbest, Dow Jones, Advent Health, 500px, Coffee meets Bagel, Dunkin Donuts, EyeSouth Parteners, Huddle House, Catawba Valley Medical, Houzz, Sleep Assocs, Alaska, Ascension, Various Online Betting, Graeters, BlackRock Inc., Collection #1, Oklahoma, Fortnite, Indiana, OXO, BenefitMall, DiscountMugs.com, BlankMediaGames, Blur
2019 Marriott some passport numbers and credit card information of up to 383 million guests.
2019 617 million accounts were culled from 16 websites and put up for sale on the dark web. Site owners Dubsmash, Armor Games, 500px, Whitepages and ShareThis
2019 An attacker held up to 15,000 Australian patients' files for ransom, unauthorized email access exposed 326,000 Connecticut patients' records, close to a million Washington patients' information was left exposed in an open database, and 2.7 million calls to a national Swedish health line were recorded and left out in the open.
2019 Facebook  540 million  users' names, IDs and passwords
2019 Indian government healthcare 12.5 million medical records of pregnant women
2019 First American Financial Corp hundred of millions of insurance documents
2019 Burger King 40,000 customers of its online kids
2019 bill collector American Medical Collection Association 20 million patients payment data, Social Security numbers, medical information, birth dates, phone numbers, addresses and more
2019 Capital One. 100 million credit card applications, 140,000 social security numbers and 80,000 bank account numbers -- including names, addresses, ZIP codes, phone numbers and birth dates.
2019  160 million MoviePass credit card data
2019 27.8 million UK biometric staff records held by the UK Metropolitan Police, banks and enterprise companies.
2019  218 million Words with Friends player accounts -- email addresses, names, login IDs and more
2019 20.8 million Ecuadorian Gov. user records -- birth data, marital status and national ID numbers, home addresses, children's information, phone numbers and education records.
2019 4 billion social media profile records , 1.2 billion unique people from two data enrichment companies
2019 Adobe exposed 7.5 million Creative Cloud customer records
2019 20 million Russian citizen tax records, from 2009 to 2016, were left sitting on an open database
2020 Microsoft: 250 million email addresses, IP addresses, and support case details. MOST of the records didn't contain any personal user information, unless your email address was "name surname @ emaildomain com" (instead of "name.surname@email.com").

That list is expected to grow even longer. The Department of Homeland Security warned that more than 1,000 U.S. retailers may have been infected with malware lurking in their payment systems.

http://finance.yahoo.com/news/why-credit-bureau-experian-data-214611551.html  http://www.pcmag.com/article2/0,2817,2474004,00.asp?mailingID=82C820B74C7C9369EE9D9317B6B0B744?mailing_id=1134846

http://finance.yahoo.com/news/target-40m-card-accounts-may-breached-115232188--finance.html
http://www.washingtonpost.com/business/technology/target-data-breach-affects-40-million-accounts-payment-info-compromised/2013/12/19/5cc71f22-68b1-11e3-ae56-22de072140a2_story.html

After I canceled the debit card ( with a $500 max) that I was using to pay Adobe -- I went out and bought a cash card to pay them instead.
Unless you REALLY need to run up debt -- anyone using a credit card in a store, these days, is just plain ignorant. Carry and use CASH .

Mandiant Consulting seems to be the go-to Security Consultant .

 SESSION RECORDING: " records visitors' keystrokes, mouse movements, and scrolling behavior in real time, even before the input is submitted or is later deleted." data being sent letter-by-letter as it is typed. The user’s full credit card number, expiration, CVV number, name, and billing address are leaked on this page. Email address and gift card numbers are among the other types of data leak

Corporations using  SESSION RECORDING: 100sp.ru, 101.ru, 24smi.info, 4game.com, 9111.ru, acs.org, adidas.com, adobelogin.com, akamai.com, alfabank.ru, anistar.me, apteka.ru, atlassian.com, atlassian.net, autodesk.com, aweber.com, banki.ru, bankier.pl, bankier.pl, bibliofond.ru, bitrix24.ru, blamper.ru, blizko.ru, boots.com, bose.com, britishairways.com, centurylink.com, chevrolet.com, cian.ru, coccoc.com, comcast.com, comcast.net, comodo.com, costco.ca, costco.com, crateandbarrel.com, crunchbase.com, currys.co.uk, depositphotos.com, deseretnews.com, deseretnews.com, dillards.com, disneystore.com, diy.com, doda.jp, dota2.ru, ebela.in, echosign.com, ee.co.uk, enterprise.com, eset.com, experian.com, express.de, faberlic.com, fandango.com, fastspring.com, finishline.com, flyfrontier.com, football.ua, forumhouse.ru, frontier.com, gap.com, giffgaff.com, gooool.org, hi.ru, hitfile.net, home.pl, hp.com, hpe.com, hse.ru, hsn.com, icims.com, ifunny.co, ihg.com, inmotionhosting.com, intel.com, iqoption.com, istockphoto.com, jizzbunker.com, kaspersky.com, kismia.com, kissmetrics.com, kolesa.kz, legalzoom.com, lenovo.com, lexisnexis.com, logitech.com, loveplanet.ru, meb.gov.tr, mongodb.com, mts.ru, nalog.ru, natwest.com, neimanmarcus.com, neimanmarcus.com, nest.com, ngs.ru, ning.com, nintendo.com, nn.ru, norton.com, novayagazeta.ru, ognyvo.ru, oldnavy.com, opera.com, petco.com, pipedrive.com, pipedrive.com, promodj.com, pulscen.ru, puma.com, qafqazinfo.az, redhat.com, rogers.com, rt.ru, rusvesna.su, rzd.ru, shaw.ca, shop.com, sky.com, sky.com, sky.it, smartinf.ru, spreadshirt.com, sputniknews.com, superjob.ru, symantec.com, telerik.com, telus.com, text.ru, the-village.ru, tiu.ru, t-mobile.com, tonkosti.ru, touchofmodern.com, toysrus.com, tradedoubler.com, trendingpatrol.com, trud.com, tsb.co.uk, tvigle.ru, tvrain.ru, ulmart.ru, utarget.ru, vedomosti.ru, vtb24.ru, wadi.com, westernunion.com, windows.com, wpengine.com, xfinity.com, yandex.by, yandex.ru, yoox.com,
 

Breaches where you're email will most likely be found

A "breach" is an incident where data has been unintentionally exposed to the public.

Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Compromised data: Email addresses, Password hints, Passwords, Usernames

Anti Public Combo List (unverified): In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I been pwned.

Compromised data: Email addresses, Passwords

Collection #1 (unverified): In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

Compromised data: Email addresses, Passwords

Disqus: In October 2017, the blog commenting service Disqus announced they'd suffered a data breach. The breach dated back to July 2012 but wasn't identified until years later when the data finally surfaced. The breach contained over 17.5 million unique email addresses and usernames. Users who created logins on Disqus had salted SHA1 hashes of passwords whilst users who logged in via social providers only had references to those accounts.

Compromised data: Email addresses, Passwords, Usernames

Forbes: In February 2014, the Forbes website succumbed to an attack that leaked over 1 million user accounts. The attack was attributed to the Syrian Electronic Army, allegedly as retribution for a perceived "Hate of Syria". The attack not only leaked user credentials, but also resulted in the posting of fake news stories to forbes.com.

Compromised data: Email addresses, Passwords, User website URLs, Usernames

LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Compromised data: Email addresses, Passwords

MySpace: In approximately 2008, MySpace suffered a data breach that exposed almost 360 million accounts. In May 2016 the data was offered up for sale on the "Real Deal" dark market website and included email addresses, usernames and SHA1 hashes of the first 10 characters of the password converted to lowercase and stored without a salt. The exact breach date is unknown, but analysis of the data suggests it was 8 years before being made public.

Compromised data: Email addresses, Passwords, Usernames

Trik Spam Botnet (spam list): In June 2018, the command and control server of a malicious botnet known as the "Trik Spam Botnet" was misconfigured such that it exposed the email addresses of more than 43 million people. The researchers who discovered the exposed Russian server believe the list of addresses was used to distribute various malware strains via malspam campaigns (emails designed to deliver malware).

Compromised data: Email addresses

Verifications.io: In February 2019, the email address validation service verifications.io suffered a data breach. Discovered by Bob Diachenko and Vinny Troia, the breach was due to the data being stored in a MongoDB instance left publicly facing without a password and resulted in 763 million unique email addresses being exposed. Many records within the data also included additional personal attributes such as names, phone numbers, IP addresses, dates of birth and genders. No passwords were included in the data. The Verifications.io website went offline during the disclosure process, although an archived copy remains viewable.

Compromised data: Dates of birth, Email addresses, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses

• Fight a Foreclosure in CourtMarin Rents are the Highest in the USCut Child Poverty by HalfNeeded Gun Reform & Questions about guns in the United StatesTam School District to spend $450millionSave Santa Venetia from fireUSPS Petaluma replaced by OaklandWHAT ARE SPECIAL DISTRICTS2016 Election MeasuresABAG MTC Stifle DissentMarin's Law Suit against Fossil Fuel Corps.AB 2406 Junior Dwelling Unitsis a Marin Charter School being favored?Marijuana in MarinCut the Cord or just cut ComcastReverse MortgageNoisey NeighborSecurity BreachesSome ECLECTIC Shopping CatalogsMarin Bike Count - $28 Million WastedJohn Muir Transcription ProjectTRUE GOPHER STORYHigh Sierra LakesMill Valley Tree Fire Ordinance •    
Questions or problems regarding this web site should be directed to Info@marincounty.info  
Last modified: Thursday February 22, 2024.