​​​​​​​​​​Instagram Warns Hack More Widespread Than Expected Darknet Database Markets 6 Million Stolen Email Addresses or Phone Numbers

Mathew J. Schwartz (euroinfosec) • September 5, 2017 

The popular social media app - owned by Facebook - first warned Wednesday that a hack attack appeared to have compromised some accounts of "high-profile users." It said an unspecified number of email addresses and phone numbers were stolen due to attackers "exploiting a bug in the Instagram API."

But on Friday, Instagram warned that the hack had affected more than just "high-profile users."

The email address - but not phone number - tied to the Instagram account for pop star Miley Cyrus is being offered for sale via Doxagram. (Source: RepKnight)

The API bug has been expunged. "We quickly fixed the bug, and have been working with law enforcement on the matter," Instagram CTO Mike Krieger said in a Friday blog post.

Instagram, however, says it does not know exactly how many of its 700 million monthly users may have had their personal details stolen or accounts hacked. "Although we cannot determine which specific accounts may have been impacted, we believe it was a low percentage of Instagram accounts," Krieger says.

But its estimate might be based on a darknet site that claims to be offering email addresses, and in some cases also phone numbers, tied to 6 million Instagram accounts.



Authentication Tools to Secure a Cashless Economy

Eric Chabrow (GovInfoSecurity) • September 1, 2017

A report on advances in authentication to secure a cashless economy leads the latest edition of the ISMG Security Report.

Also in the Security Report (click on player to listen), you'll hear:

HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee analyze the pending largest settlement ever of a data breach, and
ISMG Security and Technology Editor Jeremy Kirk report on several big-name IT companies collaborating to defang the botnet dubbed as WireX.

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Check out our Aug. 25 and Aug. 29 editions, which respectively analyze Donald Trump's approach to cybersecurity during the first seven months of his administration and a novel way to fund the growth of the U.S. Cyber Command.

The next ISMG Security Report will be posted on Tuesday, Sept. 5.



Data breaches cost consumers billions of dollars

Jun. 5, 2013 at 12:37 PM

Data breaches are bad for business, but the resulting fraud can be devastating to the people who’ve had their personal information compromised.

A new report from Javelin Strategy and Research released on Wednesday concludes that a single massive data breach can result in “billions of dollars” in consumer fraud losses. 

Some of these crooks want credit or debit card numbers because they can instantly buy things.

Identity thieves want Social Security numbers that can be used to “take over” existing financial accounts or open new ones in the victim’s name. That’s why the losses are higher when there’s an account takeover: $5,100 on average compared to $1,600 for a stolen credit or debit card.

Hackers were after Social Security numbers when they attacked the South Carolina Department of Revenue last year. They got 3.6 million of them. Javelin puts the total loss from this fraud at $5.2 billion dollars, making the breach one of the most costly ever.

average fraud victim in this case will spend $776 out of pocket and take 20 hours to resolve their problems, the report estimated.

“When a Social Security number is compromised, it can haunt you for years to come,” said Karen Barney with the Identity Theft Resource Center, a non-profit that helps victims of ID theft. “You’re always on alert and you have to be constantly vigilant.” "



 "Nuclear breach opens new chapter in cyber struggle

Blake Sobczak and Peter Behr, E&E News reporters Energywire: Tuesday, June 27, 2017

U.S. authorities are investigating a cyber intrusion affecting multiple nuclear power generation sites this year, E&E News has learned.

There is no evidence that the nuclear energy industry's highly regulated safety systems were compromised. But
anycybersecurity breach — targeted or not — at closely guarded U.S. nuclear reactors marks an escalation of hackers' probes into U.S. critical infrastructure.

Electricity-sector officials confirmed yesterday that they are working to unpack the significance of the secretive cyber event, code named "Nuclear 17."



"The History of Data Breaches

As the wave of data breaches continues to roll on, we take a look back at some of the largest and most damaging data breaches on record. Read on for a historical walk through breaches over time as well as resources for preventing data breaches..."    https://digitalguardian.com/blog/history-data-breaches


Homeland Security starts with Hometown Security


"DHS provides free tools and resources to communities because the Department recognizes that communities are the first line of defense in keeping the public safe and secure. The Department encourages businesses to Connect, Plan, Train, and Report. Applying these four steps in advance of an incident or attack can help better prepare businesses and their employees to proactively think about the role they play in the safety and security of their businesses and communities." DHS states:

"CONNECT: Reach out and develop relationships in your community, including local law enforcement. Having these relationships established before an incident occurs can help speed up the response when something happens. 

PLAN: Take the time now to plan on how you will handle a security event should one occur. Learn from other events to inform your plans. 

TRAIN: Provide your employees with training resources and exercise your plans often. The best laid plans must be exercised in order to be effective.  

REPORT:  'If You See Something, Say Something™” is more than just a slogan. Call local law enforcement.' " 


Hacking Critical Infrastructure is Accelerating and More Destructive

 "A new report released this week by Trend Micro and the Organization of American States (OAS) shows a dramatic increase in cyberattacks directed against critical infrastructure owners and operators.

Trend Micro threat researchers are seeing malware-based attacks on critical infrastructure, disguised as both actual SCADA applications and malware used to scan and identify specific SCADA protocols. Governments and organizations who manage CI are becoming a prime target of threat actors with increases in both volume and sophistication of attacks. The need for public-private partnerships (PPPs) is critical moving forward to ensure both governments and the private industry are ready to manage future attacks."



Is protected health information safe in the cloud?
May 18, 2017May 19, 2017AuthorCIP Review

"Many healthcare providers face the decision on if they should store protected health information (PHI) in the cloud. There are benefits and concerns to storing PHI in the cloud, and the decision to do so should be analyzed.

PHI is any health-related or insurance payment information that is stored or managed by a healthcare provider that can identify a specific individual. Examples of PHI are patient names, addresses, Social Security numbers, X-ray images, lab results, insurance payment information and medical records. Even information about a patient’s planned future procedures is PHI. Government regulation of PHI is covered in the HIPPA Privacy Rule, and all healthcare providers in the United States must adhere to it or face fines.

PHI data is some of the most valuable data on the black market. Many hackers prefer PHI data over standard credit card data due to the amount that they can earn through health insurance fraud. With many banks having limits on account transfers or alerts for frequent transactions, bank account, and credit data has become even less attractive.




Securing America's Critical Infrastructures