Search This Blog

Showing posts with label User Privacy. Show all posts

Dutch Government Loses Hard Drive Containing Data of 6.9 Million Donors


Officials from the Dutch Ministry of Health, Wellness, and Sport confirmed this week that the government has lost two external hard disk storage devices that contained electronic copies of all donor forms filled with the Dutch Donor Register between February 1998 to June 2010, it was used to store personal information such as the first and the last name, date of birth, ID card numbers, address while filling the form, gender, copy of signatures and choice of organs being donated of about 6.9 million organ donors.

It was when authorities decided to sweep out old donor registration paper forms and wanted to get rid of electronic copies of all these donor forms, they discovered that the two aforementioned disks are nowhere to be found. There have been no comments made onto the encryption of data, it's not in public knowledge that whether the data was encrypted not.

The disks were last accessed almost four years ago and were put securely inside a safety vault for keeping a record, as per the statements given by the Dutch Donor Register, the hard disks were no longer to be found in the security vault and are still unaccounted for. Reportedly, the data stored into the disks belonged to over 6.9 million Dutch people – a few out of whom may no longer be alive, as per the authorities.

Although there is no proof regarding the data being stolen or misused by anyone, officials claimed that the lost donor forms do not consist of Dutch ID copies and other official documents of the people of Dutch which automatically reduces the likability of fraud or an identity theft taking place amid the incident of lost hard drives. The Minister for Health, Wellness, and Sport confirmed that the event did not affect the Donor Register's ability to deliver accurate donor data.

Facebook Sues Data Analytics Firm for Improperly Harvesting User Data


On Thursday, Facebook filed a federal lawsuit in California Court against OneAudience, a New Jersey-based marketing firm mainly involved in data analytics. The social media giant claimed that the firm was paying app developers to secretly harvest its users' data by getting an infectious software SDK installed onto their apps. The SDK was planted in various gaming, shopping, and utility-type applications available to download from the Google Play Store, as per the court documents.

A software development kit also known as SDK is a downloadable collection of software development tools used for developing applications. It consists of the basic tools a developer would require to build a platform-specific app with ease and excellence. In other words, SDK basically enables the programming of mobile applications. However, these packages have their drawbacks too as they also contain tools like trackers and it collects information about devices and app usage to send it back to the SDK maker.

Facebook alleged in the lawsuit that OneAudience has blatantly misused the feature "login with Facebook" to acquire unauthorized access to sensitive user data without any permissions. OneAudience has also been accused of paying apps to gain access to users' Twitter and Google data when they log into the infected apps using their account info.

"With respect to Facebook, OneAudience used the malicious SDK – without authorization from Facebook – to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook remarked.

Earlier in November 2019, social media giants Twitter and Facebook told that OneAudience collected private user information and the incident left hundreds of users affected as their privacy was compromised when OneAudience illegally collected their names, email addresses, usernames, genders and latest posts through SDK.

While commenting on the matter, Jessica Romero, Director of Platform Enforcement and Litigation, said "Facebook's measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate."

"This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users," she further added.

SoPo Nonprofit Told, Unknown Number of Clients Affected by Data Breach


A South Australian company, PSL Services, also known as Peregrine Corporation involved in the operation of service stations, convenience retail outlets and tobacconists recently disclosed a data breach to Mainebiz.

The company administered from its head office in Kensington Park, South Australia told that personal data of its employees including their names, email accounts, some medical information along with other sensitive information may have been accessed illegally between December 16 and December 19, 2019. Other information accessed without authorization includes address, DOB, Driving License Number, Social Security Number and Identifying Numbers of clients for participation in Mainecare.

There have been no speculations made by the corporation as to who is behind the public breach of its confidential data, however, the officials told in an email that there are chances that the criminal behind the incident was trying to force the agency in sending funds electronically which they did not.

Post-incident, the company was subjected to back to back investigations and it refused to specify the number of employees being affected. PSL did not provide other details regarding the incident such as whether the individuals were clients, employees, family members or others. As per some news releases, PSL came to know about the breach on 17th December after some suspicious activity was observed in an employee's email account, it immediately reported the same to its information services department.

The corporation told that it had “notified the Office of Civil Rights at U.S. Department of Health and Human Services, the Maine Attorney General, and prominent news media outlets throughout the state of Maine."

Referencing from the statements given by Lori Sanville, executive director, “The contents of a small number of email accounts were exposed,”

“The number is unknown until the data mining is completed. We will then contact anyone affected.”

In regard of the same incident, PSL also contracted with a cybersecurity vendor to further investigate the matter and come up with security measures, as per Sanville. In addition, she told Mainebiz, “We want our clients and the community to know that we take this matter very seriously and that we remain committed to assisting our clients first and foremost."

Avast Antivirus Harvested Users' Data and Sold it Google, Microsoft, IBM and Others



Avast, a popular maker of free anti-virus software being employed by almost 435 million mobiles, Windows and Mac harvested its users' sensitive data via browser plugins and sold it to third parties such as Microsoft, Google, Pepsi, IBM, Home Depot, and many others, according to the findings of an investigation jointly carried out by PCMag and Motherboard.

As per the sources, the investigation basically relied on leaked data; documents used to further the investigation belonged to Jumpshot which is a subsidiary of Avast. The data was extracted by the Avast anti-virus software itself and then repackaged by Jumpshot into various products which were sold to big companies as the report specified, "Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others."

"The sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it," other company documents found.

Allegedly, Avast has been keeping a track of personal details such as exact time and date when a user starts surfing a website, the digital content being viewed by him and his browsing and search history. As per the findings, the information sold by Jumpshot includes Google Maps searches, Google search engine searches, YouTube videos viewed by users, activity that took place on companies' LinkedIn handles and porn websites visited by people. The data contained no traces of personal information of people like their names or email addresses, however, the investigators at Vice pointed out how the access to such precise browsing data can potentially lead back to the identification of the user anyway.

When the investigation reports were made public, Jumpshot stopped receiving any browsing-related data harvested by extensions as Avast terminated the operations, however, currently, the popular anti-virus maker is being investigated for collecting user data asides from browser plug-ins.

While Google denied commenting on the matter, IBM told Vice that they have no record of dealing with Avast's subsidiary, Jumpshot. Meanwhile, Microsoft made it clear that at present they are not having any relationship with Jumpshot.

Google Releases Chrome 79, Warns Users of Data Breach


Tech giant Google has issued warning of data leak for Indian and global users, after fixing Chrome 79 bug and re-issuing it later this week. Users were being sent notifications by the company via affected websites– through the means of pop-up alerts that started to appear on desktops, mobile phone screens and laptop screens; it forced users into reading the text which said that their passwords may have been exposed and hence they should change it immediately – "Change your password. A data breach on a site or app exposed your password. Chrome recommends changing your password for the site," the warning pop-up read.

As per sources, a bug affected data in select Android applications and Google had put on hold the release of Chrome 79. It was finally this week, Google's Chrome Releases blog confirmed the rollout of Chrome 79 for desktop and mobile platforms; Chrome 79 (79.0.3945.93) for Android comes with a fix for the WebView flaw and an assurance of improved defense against issues revolving around password protection of users.

According to the reports by media, the fix, "Resolves an issue in WebView where some users' app data was not visible within those apps. The app data was not lost and will be made visible in apps with this update."

WebView is a feature which is employed by various third-party applications to open a webpage, it ensures rendering of webpages within applications. However, here, Google Chrome is solely responsible for loading the content. PhoneGap and Twitter Lite are two apps that employ WebView functionality, as per AndroidPolice.

There have been various instances recorded in regard of the matter, nationally and globally, one such incident had a user trying to log into an e-commerce platform named 'Freshtohome' to shop fresh and chemical-free seafood as he received a pop-up warning him about the issue and advising to change his password.

In a similar manner, when one of India's media houses attempted to log into their portal, were faced with disruption and warnings began to pop-up onto the screen advising them the same.

In a public statement issued on Google threads, a Chromium engineer explains, "We are currently discussing the correct strategy for resolving this issue which will be one of: a) continue the migration, moving the missed files into their new locations. b) revert the change by moving migrated files to their old locations. We will let you know which of these two options have been chosen soon."

xHelper: A Non-Destructive Malware that has Affected 45,000 Android Devices


A new Android trojan tension has become a headliner after darting upon the detector of several cyber-security firms and disturbing the smartphone users, because of its re-installing peculiarity that has become a headache. The malware was located in March for the first time but it gradually developed to affect the android phones.


Hot as xHelper, it is a unique malware that has been detected by antivirus corporations. xHelper is quite dangerous as it has a self re-install origin, a process that makes it very difficult to eliminate from Android gadgets. The Trojan is said to have corrupted around 45,000 devices. "Every day, 131 different devices are corrupted, whereas, 2,400 devices are being affected every month," says Symantec, a cybersecurity company. Eliminating the xHelper assistance from your Android device is useless as the malware re-establishes itself despite the user completing a factory reset.

In the conclusion of a story, the Trojan provides for popup ads on devices simultaneously beside spams. These popup notices make profits for the bodies responsible for the deed. Also, the trojan-infected android devices are required to install various apps from the Google Play Store, once the damage has been done. The malware secures profit in the scheme of pay-per-download payments, once the application is installed on the android phone.

But it appears that the Trojan does not perform any lethal actions on the device. "xHelper is only confined to interfering popup ads and spams, it doesn't possess any severe threat to the device" claims the reports of Symantec and Malwarebytes. Besides, excluding the xHelper assistance from the Android OS devices won't do any relief as the malware re-fixes itself despite the user restoring the phone to factory reset settings. The matter of concern, though, is the point that android device users have been notified that while xHelper is momentarily only confined to popups, spams, and ads, it can, however, install different applications, which could extend a secondary degree trojan threat that can steal sensitive data such as personal information and banking credentials of the users.

A New Malware that steals Personal Information via Discord App


Hey there, all the gamers and tech freaks. Beware! A new malware is coming right at you. Also known as 'Spidey Bot' by its researchers, this malware is quite dangerous as it can take all your personal information such as passwords, IP addresses, emails, contacts, and Discord usernames. The Windows Malware does this by inserting itself into the Discord app's cipher.


As if this wasn't enough, the malware can also get a backdoor entrance into your device by copying the first 50 letters typed in your keyboard which may contain critical information such as recently used passwords. This is done in order to get more malware fixed in your device. Discord is an application that is specifically designed for the video gaming community. It is also a digital platform where various PC gamers from across the world can connect and form a community of their own.

Lately, Discord has also become an ideal platform for users who have been thrown out from Twitter and Reddit for their peculiarly offensive comments; hence they are free to express their thoughts here. Sadly, you won't be able to grasp if your Discord file is affected, and even if you do, you can't do anything much about it. The best you can do is remove the software and then reinstall it to confirm that you are safe. Therefore, having the best antivirus is the only solution to prevent your computer from malware threats. Even the software company Discord is helpless in countering to user problems.

"Unluckily, there's nothing any Discord can do to anticipate threats here. Still, the user should be careful while clicking on unknown links and should be critical of downloading unfamiliar software. Doing so can invite Malware to your system. Installing an untrusted program can alter your Discord on your PC," tweeted Discord in response to user complaints. This is not the problem with the language but it's on the user end. The only alternative solution to this Malware threat is by telling the user to access the Discord app via their phones and gaming consoles instead of your computers.

Twitter Used Phone Numbers and Email Addresses Provided for Security to Target Ads


Twitter, on Tuesday, admitted using phone numbers and email addresses of users provided for the purpose of enhancing security via two-factor authentication to serve target ads.

However, sensitive user data has not been shared with the company’s third-party partners and the issue which stemmed the incident has been taken care of; now the phone numbers and email addresses are only asked for security purposes, according to Twitter.

Last year, Facebook was caught for engaging in a similar practice where the phone numbers and email addresses provided by the users to make their accounts more secure were used by the social media giant to target ads, as per the Federal Trade Commission (FTC).

In the wake of the breach, Twitter received widespread criticism for compromising its users' privacy. The fact that user security has been violated through a framework that was intended to rather strengthen it, further fuelled the public reproval. Although the company did not intend to use sensitive user data for the purpose of ad targeting, one can’t deny that the platform was practicing the aforementioned without the knowledge of its users. Moreover, it took the company almost a month to disclose the information.

Putting what Twitter called as an 'error' into perspective, it wrote in a post on its Help Center website, “Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)."

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes." The company added.

Remarking data (here) as a liability, Duruk, a human-computer interface expert, wrote “Phone numbers stored for 2FA end up in advertising hellhole. The more you accrue, the more someone inside your org will find a way to abuse it.”

Apologizing for the inadvertent mistake, Twitter further wrote, "We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again."

Oyo Leaves Customers’ Confidential Data Unprotected Due to a Security Flaw



The world’s third-largest and fastest-growing hospitality and homestay chain, Oyo is reportedly leaving its customer data unprotected, which makes it vulnerable to a breach due to a flaw found in its security systems. A cybersecurity researcher, Jay Sharma, who used Oyo for the first time in his life, found a loophole in the service which was exposing confidential information of the customers availing the service.

Founded in 2013 by 25-year-old, Ritesh Agarwal, Oyo has confirmed the presence of security flaw in an email to the cybersecurity researcher who took to the professional networking site, LinkedIn to share his first time experience with the service and sent the report of the same to the company’s Cyber team on 22nd of August. The data at risk included booking IDs, contact numbers, the date of the booking, the number of people staying in the room and location.

Sharma was offered a bounty reward of Rs. 25,000, which is the increased amount after the officials, reviewed the severity involved, the initial amount offered was Rs. 5000.

Sharing the insights of the experience and the details of the vulnerability, Jay wrote on LinkedIn, “I used Oyo for the first time in my life, and once I checked in, it was compulsory to enter booking ID and phone number to access the Wi-Fi”, “Why should anybody in the room be forced to share personal information via OTP (one-time-password) verification to use Wi-Fi?”

“I researched more and found that the HTTP & Ssh ports were open with no rate limit for the IP which was hosting this. Captcha was a 5 digit number generated by math.random(). I created a way to brute force the login credentials while executing the captcha.”

“Once login was brute-forced all the historical data dating back to a few months was accessible. The booking IDs and phone numbers related to these IDs with timestamps were stored naked and all of it could be downloaded by parsing HTML using python scripts.” He wrote.

Jay further warned the customers not to log in and “wait till OYO announces officially that they have fixed this issue” as “all the properties which use this login are vulnerable.”

Commenting on the matter, the company, headquartered at Gurugram, said “Oyo provides safe and secure hotels to unmarried couples. Most Oyo hotels allow unmarried couples and accept local IDs; they have well-trained staff who ensure safety and privacy,”

“Any vulnerability, no matter how limited-time or small is taken very seriously and looked into,” a spokesperson told in a statement.

Google about to Roll Out One of the Most Awaited Features



In 2018, Google broke headlines for tracking its users location even after they disabled the sharing of location history via their privacy settings.

There were complaints against the company, stating, "Google represented that a user ‘can turn off Location History at any time. With Location History off, the places you go are no longer stored.’ This simply was not true."

In the wake of receiving intense criticism over location history, Google came up with necessary adjustments which now allow users to stop the tech giant from tracking them, except for the applications in which location data is of utmost importance such as Waze and Google Maps.

In an attempt to make Google Maps even more secure and trustworthy, the company added enhanced security features related to location privacy in Android 10; to further better the services and regain the lost user trust, Google is planning to add Incognito Mode to Google Maps and the feature is said to be in testing.

Users can always put restrictions on the location data collected by Google Maps by signing out of their Google account, but it will come at the cost of their convenience, therefore, Google is planning to introduce Incognito Mode which can be turned on by the users in the same way they do it for Youtube or Google Chrome to delink the search or navigation data from their main Google account.

In order to activate Incognito Mode, users can simply choose the option from their Google account avatar and they will be informed about the app being in incognito mode by a black status bar and the marker indicating the location will turn into dark from blue to mark the change.

To enable the feature, users are recommended to install Preview Maps version 10.26 or higher and for those who are not a part of Preview Maps test group, wait until the company releases it on a wider scale.


Apple Apologises To Siri Users for “Not Fully Living Up To Their High Ideals”




Apple apologizes to Siri users for not 'fully living up to their ideals' as well as enabling temporary workers to tune in to voice recordings of Siri users so as to review them.

The announcement was made after a review of the grading programme was finished, which had been triggered to reveal its existence with the help of a Guardian report.

 “As a result of our review, we realise we have not been fully living up to our high ideals, and for that we apologise, as we previously announced, we halted the Siri grading program. We plan to resume later this fall when software updates are released to our users.” Apple said in an unsigned statement posted to its website.

The company committed to three changes to the way Siri is run after it resumes the grading programme:
  • It will no longer keep audio recordings of Siri users by default, though it will retain automatically generated transcripts of the requests.                                                                                
  • Users will be able to opt in to sharing their recordings with Apple. “We hope that many people will choose to help Siri get better,” the company said.                                                                        
  • Only Apple employees will be allowed to listen to those audio samples. The company had previously outsourced the work to contracting firms. Over the past two weeks, it has ended those contracts, resulting in hundreds of job losses around the world.


In the past six months, almost every significant producer of voice-assistance technology has been 'revealed' to have been operating human-oversight programs, having run them in discreetly for a considerable length of time. Many out of them have sworn in to change their frameworks.

Amazon was the first to have been identified, then came along Google and Microsoft, with the former pledging to review its safeguards and the latter updating its privacy policy.

Older Lenovo users uninstall Solution Center soon

Owners of older Lenovo laptops need to uninstall the Lenovo Solution Center as soon as possible. 

Security researchers at Pen Test Partners found a critical vulnerability in the Lenovo Solution Center that could hand admin privileges over to hackers or malware.

According to Pen Test Partners, the flaw is a discretionary access control list (DACL) overwrite, which means a low-privileged user can sneak into a sensitive file by exploiting a high-privileged process. This is an example of a "privileged escalation" attack in which a bug can be used to gain access to resources that are normally only accessible to admins.

In this case, an attacker could write a pseudo-file (called a hard link file) that, when run by Lenovo Solution Center, would access sensitive files it otherwise shouldn't be allowed to reach. From there, damaging code could be executed on the system with administrator or system privileges, which is basically game over, as Pen Test Partners notes.

Lenovo Solution Center is a program that was preinstalled on Lenovo laptops from 2011 up until November 2018, which means millions of devices could be affected. Ironically, the program's purpose is to monitor the health and security of a Lenovo PC. While this flaw isn't such a big concern for individual users who can quickly protect their systems, larger companies who own a fleet of older ThinkPad laptops and use legacy software might be slow to react.

For its part, Lenovo published a security statement warning users about the bug and urging them to uninstall Solution Center, which the company no longer supports.

"A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018," reads the statement.

New Vulnerability in Bluetooth Connections Allows Hackers to Spy on Private Conversations


Bluetooth is used worldwide as one of the most convenient methods of connecting and controlling the devices in range. However, according to a recent report, a vulnerability labeled as the KNOB (Key Negotiation of Bluetooth) attack has been found in Bluetooth connections.

All the Bluetooth compliant devices can be affected by the vulnerability, which allows attackers to spy on a victim's personal conversations. Hackers can also exploit the vulnerability to manipulate the data present on the compromised device.

How the attack unfolds? 

While establishing a functional Bluetooth connection, both the devices rely upon an encryption key. Therefore,
in order to execute the attack, hackers exploit the vulnerability in the Bluetooth standard and weaken this encryption of Bluetooth devices instead of breaking it straightaway.

The attacker gets in the way while the devices are setting up the encryption key and resorts to brute force attack for breaking the new key with less number of digits and manipulates both the devices to employ the new encryption key.

The vulnerability affects devices by some of the renowned manufacturers namely, Apple, Qualcomm, and Intel. Companies like Apple, Microsoft, Cisco, Google, Blackberry, Broadcom and Chicony has already issued a patch to fix the flaw, as per the reports by Mashable.

The group of researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security, who found this critical vulnerability, explained, "We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired."

RBI AnyDesk Warning; here's how Scammers Use it to Steal Money



In February, Reserve Bank of India (RBI) issued warning regarding a remote desktop app known as 'AnyDesk', which was employed by scammers to carry out unauthorized transactions from bank accounts of the customers via mobile or laptop.

In the wake of RBI's warning, various other banks such as HDFC Bank, ICICI Bank and Axis Bank along with a few others, also issued an advisory to make their customers aware about AnyDesk's fraudulent potential and how it can be used by the hackers to steal money via Unified Payments Interface (UPI).

However, it is important to notice that Anydesk app is not infectious, in fact, on the contrary, it is a screen-sharing platform of extreme value to the IT professionals which allows users to connect to various systems and mobiles remotely over the internet.

How the Scam Takes Places? 

When a customer needs some help from the customer care, he gets in touch via a call and if he gets on line with a scammer, he would ask him to download AnyDesk app or a similar app known as TeamViewer QuickSupport on his smartphone.

Then, he would ask for a remote desk code of 9-digit which he requires to view the customer's screen live on his computer. He can also record everything that is been shown on the screen. Subsequently, whenever the victim enters the ID and password of his UPI app, the scammer records it.

Users are advised not to download AnyDesk or any other remote desktop applications without fully understanding their functioning.

You should also be highly skeptical of the additional apps that customer support executives may ask you to download as besides fraudsters, no one asks for codes, passwords or any other sensitive information.

Student Uncovers Flaw in Education Software Exposing Data of Students



A high school senior in Lexington, Massachusetts discovered two vulnerabilities in software programs employed by his school which could have potentially affected the student data of around 5 million students.

Billi Demikarpi is a teen hacker who developed a penchant for hacking when he was in the freshman year and subsequently uncovered serious security flaws in two education programs, Aspen and Blackboard.

Reportedly, the probable consequences of these vulnerabilities would have been more disastrous than those San Diego Unified School District faced after the massive data breach that put to risk the data of more than 500,000 students along with the staff of the school.

The information that could have been exposed via the Aspen vulnerability includes details of bus routes, birthplaces, special education status, number of reduced or free lunches and suspensions.

It could have been exploited by the hacker to gain access to the data on the website after entering his own script as the Aspen website lacked the filters which other websites usually contain in order to reject hacker requests.

According to the statements given by both the companies, no one has exploited the security flaws besides Billi, who only accessed the information about himself and of a friend's whom he took consent from before doing so.

While sharing  his experience, Demirkapi said, “These companies say they're secure, that they do audits, but don't take the necessary steps to protect themselves from threats.”


Capital One Data Breach, Hacker gets Access to 100 Million Accounts


A massive data breach to Capital One servers compromised the personal details of an estimated 106 million bank customers and applicants across Canada and the US.

The suspected hacker, Paige Thompson, 33, has been arrested by FBI on Monday. She has shared details about the data breach on a GitHub page earlier in April, according to the criminal complaints.

Thompson broke into a Capital One server and illegally acquired access to customers' names, addresses, credit limit, contact numbers, balances, credit score, and other related data.

According to the documents, the 33-year-old, Seattle resident gained access to 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and 140,000 Social Security numbers.

Thompson who had previously worked with Amazon Web Services as a software engineer was able to access the data by exploiting a misconfigured web application firewall in company's infrastructure, as per a court filing.

Despite the magnitude of the breach, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company told.

Expressing concern over the matter, Chairman Richard Fairbank, said, "While I am grateful that he perpetrator has been aught, I am deeply sorry for what has happened.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he assured.

Meanwhile, the company is notifying the victims and aiding them with identity protection and free credit monitoring.



WhatsApp, Telegram Data Stored on Phones is Vulnerable to Cyber Attacks



The data saved by users onto their devices through social messaging apps, Whatsapp and Telegram is vulnerable to cyber attacks and can be exploited by malware with access to external storage, as per the security researchers at Symantec.

End-to-end encryption prevents user data from being read or secretly modified, it led users into believing that their communication is highly secured and their conversations are protected against being accessed by third-party apps. However, the findings at Symantec have made users reconsider the whole idea of data protection via encryption.

The media exchanged on WhatsApp and Telegram gets stored in either of the two storages, external or internal. Now, if the data is stored in the victim's external storage and the malware enters his mobile device, it is configured to gain easy access to these saved files and exploit it subsequently. Moreover, the malware can acquire access to this data even prior to the users, according to The Verge.

After examining the issue, WhatsApp released statements telling that the corresponding updates are under progress with Android's ongoing development.

Referencing from the statements given by a WhatsApp spokesperson, “WhatsApp has looked closely at this issue and it’s similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android’s ongoing development,”

"WhatsApp follows guidelines from Android including: 'You should use external storage for user data that should be accessible to other apps and saved even if the user uninstalls your app, such as captured photos or downloaded files.' We store files in the same manner as other messaging apps (like Viber), email (like Gmail), and file storage apps (like Dropbox)," he added.

Commenting on the upcoming Android update, he informed, "The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared."

HDFC Bank Issues Warning Against a New Online Scam: Here's What you Should Know!



HDFC Bank has sent out a warning to its online banking users about a scam carried out by an app known as AnyDesk which is used by hackers for stealing money through unified payments interface (UPI). The main objective of the scam is to acquire unauthorized access to a victim’s mobile and carry out illegal transactions without any knowledge of the account holder.

In February, Reserve Bank of India (RBI), said, ‘AnyDesk’ have the ability to acquire complete access to users mobile devices which is exploited by hackers to steal their money via making transactions remotely. AnyDesk is a remote device control app which allows the remote controlling of devices.

Bewaring the customers, the bank has issued an official mailer concerning the matter and further warned its users that hackers attempt to access their account related confidential information such as OTP, PIN, expiry date, debit card details, and other sensitive data which is required for the purpose of authentication during transactions.

To ensure the safety of its users, HDFC Bank advised them against sharing their confidential data with anonymous callers and in order to keep their bank balance fortified, they should avoid downloading any apps onto their smartphones.

Commenting on the matter, the bank said, "Beware! Fraudsters may ask you to download AnyDesk App and share a 9-digit code which gets them access to your phone to steal money. Do not share your card details / OTP / PIN with anyone and report any unusual activity immediately to the bank.”


EA Origin Security Flaw Exposed over 300 Million Gamers to Account Takeovers



In the wake of the discovery of an EA based vulnerability, EA origin has been forced to re-examine its module for security and safety as the flaw could have potentially exposed millions of gamers to account takeovers.

As per the findings and research of specialists at Check Point and CyberInt, the vulnerability affected over 300 million gaming enthusiasts playing online games namely FIFA, Madden NFL, NBA Live and Battlefield.

The vulnerability relied on an alternate authentication method known as, Access Tokens which are like passwords; by stealing a Single Sign-On authorization token, the security flaw would have given complete authority into the hands of the hackers, who further would have been able to hijack player's accounts without needing the login or password.

Stealing 'Access Tokens' can be a bit more complex than stealing passwords, however, it still is possible. It's because users have been enlightened against providing passwords on dubious websites, hackers now resort to accessing access tokens rather than the passwords. Moreover, it can be carried out behind the scenes without needing any active participation from the user.

On Wednesday, commenting on the matter, Oded Vanunu, head of products vulnerability research for Check Point, told, "EA's Origin platform is hugely popular, and if left unpatched, these flaws would have enabled hackers to hijack and exploit millions of users' accounts,"

Referencing from the statements given by Alexander Peleg in an email in the regard, "We had the vulnerabilities under control so no other party could have exploited them during the period it took EA to fix," 

Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.