Monday, July 09, 2018

Probably email addresses, not the emails. Note that they immediately identified a more secure method for authenticating their Admins. Why didn’t they use that from the beginning?
Timehop Security Breach Affects the Company’s Entire 21 Million Userbase
Timehop, a mobile app that surfaces old social media posts from the same day but from previous years, has announced a security breach affecting its entire userbase of over 21 million users.
Not all users were affected to the same extent. The company said a hacker gained access to its infrastructure and stole details on its users that included usernames, emails, telephone numbers, and access keys.
Timehop says that not all users had an email address or phone number attached to their account.
… Further, not all usernames contained users’ real names.
Nonetheless, the hacker stole the access keys for all 21 million users. These access keys link the Timehop account to various social media accounts from where Timehop pulls older social media posts and images.
… The company said it is now working with law enforcement and cyber-security firms to track down the intruders and secure its infrastructure.
According to preliminary evidence from the investigation, the intrusion took place on December 19, 2017, when a hacker gained access to an admin account for Timehop’s cloud infrastructure. Timehop says it failed to secure that account with multi-factor authentication, making the attack possible.
… The hacker logged into this account on four separate days in December 2017 and March and June 2018, during which it carried out reconnaissance operations.
The intrusion went undetected until July 4, when the intruder started exfiltrating the company’s database. Timehop says it detected the operation and cut off the hacker’s access two hours and nineteen minutes later.
The company said it now secured all accounts with multi-factor authentication to prevent further intrusions.

Another side of identity theft.
Oprah, Is That You? On Social Media, the Answer Is Often No.
Kip Moore, a country music singer-songwriter with hits like “Beer Money” and “Hey Pretty Girl,” has had some disturbing experiences with fans lately.
At some shows, women have approached him demanding to know why he stopped chatting with them on Instagram or Facebook. Some said they left their husbands to be with him after he said he loved them. Now they could be together, the women told him.
“They’re handing me a letter, you know, ‘Here’s the divorce papers. I’ve left so and so,’” Mr. Moore, 38, said. “If I check my inbox right now, I’d have hundreds of these messages. But I try not to check it, because it disheartens me.”
Mr. Moore, fueled by his country music fame, is a victim of what has become a widespread phenomenon: identity theft on social media. Recent searches found at least 28 accounts impersonating him on Facebook and at least 61 on Instagram. Many of the accounts send messages to his fans promising love and asking for money. Those who get duped often direct their anger at the real Mr. Moore.
… To get a sense of the scale of the problem, The New York Times commissioned an analysis to tally the number of impersonators across social media for the 10 most followed people on Instagram, including BeyoncĂ© and Taylor Swift. The analysis, conducted by Social Impostor, a firm that protects celebrities’ names online, found nearly 9,000 accounts across Facebook, Instagram and Twitter pretending to be those 10 people.

I may ask my students to read and analyze one of the privacy policies they have already agreed to.
How to Read Long Privacy Policies the Easy Way
the quint: “So once I tried reading the privacy policy of a company and post that the process ran its natural course. There were parts I felt were absolutely inconsequential and the excessive use of jargon resulted in me giving up and ultimately clicking “I Agree”. I’m sure it’s just not me and almost 90 percent of people who use these websites and services don’t even read the privacy policy. I get it! You don’t have the time to go through a 2,500-word-long document. And, of course, the language used is a bit convoluted and filled with legalese. Since data privacy policy holds some key information, many companies try to eschew critical information in order to sell the data to ad companies. The introduction of GDPR has instilled a certain amount of fear among such companies, but still users don’t find validity in reading the whole policy. So, is there an easier way to extract the important bits of a privacy policy without diving into its extraneous side? Maybe this can help…”

Trying to understand…
Law Review Article – Carpenter v. United States: Big Data is Different
Carpenter v. United States, 585 U.S. ___ (2018) (Roberts, C.J.). Response by Margot E. Kaminski Geo. Wash. L. Rev. On the Docket (Oct. Term 2017) Slip Opinion | SCOTUSblog
“A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in Carpenter v. United States, the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts’s opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law.”

No comments: