Category: breach

Sep 23 2015

OPM breach included five times more stolen fingerprints

5.2 million scans of this form, complete with fingerprints, are now in the hands of foreign intelligence. But don't worry, because the feds say there's very few ways the data can be "misused." (credit: FBI)

The Office of Personnel Management's press secretary Sam Schumach announced this morning that the breach of OPM background investigation data included approximately 5.6 million sets of fingerprints from federal employees, contractors, and other subjects of federal background checks. The new number, tied to the discovery of additional archived data that was stolen over the period of the breach, more than quintuples the amount of individuals whose fingerprint data were stolen. OPM's previous estimate stood at 1.1 million. However, the new findings do not increase the overall number of people affected in the background investigation data breach from 21.5 million, Schumach said in an official statement.

Those fingerprints were collected as part of the OPM's background investigations at all levels of sensitivity—ranging from the "National Agency Check with Written Inquiries" (NACI) inquiries for federal employees with "moderate, low risk and non-sensitive positions" to the full field investigations required for more sensitive positions. Based on leaked statements from the Obama administration, the fingerprint data is now, at a minimum, in the hands of the foreign intelligence services of China. Just how that fingerprint data could be used, however, is not clear.

"Federal experts believe that, as of now, the ability to misuse fingerprint data is limited," Schumach said. "However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area—including the FBI, DHS, DOD, and other members of the Intelligence Community—will review the potential ways adversaries could misuse fingerprint data now and in the future...[and] also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach."

Read on Ars Technica | Comments

Aug 24 2015

Ashley Madison offers $500,000 reward amid reports of member suicides

An international roster of police and private investigators are vowing to vigorously pursue the people who hacked the Ashley Madison dating website for cheaters, with the cheating site offering a $500,000 reward and appealing for help from hackers around the world.

The full-court press comes amid a report of at least two suicides of people whose personal information was included in the massive dump of account data for Ashley Madison, which carried the tag line "Life is short. Have an affair." It's too early to say if the exposures were the proximate reason the individuals took their lives, but the deaths were discussed during a press conference the Toronto Police Service held early Monday morning. Bryce Evans, acting staff superintendent, said the outing of so many people in committed relationships cheating on their partners crossed a line that could destroy lives and careers of millions of people around the world.

Wakeup call

He called on hackers around the world to provide tips to law enforcement agencies working to identify the people who thoroughly rooted the servers of Ashley Madison parent company Avid Life Media. He also said the investigation was being carried out jointly by his department, the Royal Canadian Mounted Police, the US Department of Homeland Security, the FBI, and others. Additionally, he said Avid Life Media has pledged a $500,000 reward for information leading to the identification of the people responsible for the compromise, who have dubbed themselves Impact Team.

Read 4 remaining paragraphs | Comments

Aug 19 2015

Ashley Madison hack is not only real, it’s worse than we thought

The massive leak attributed to the hackers who rooted to the Ashley Madison dating website for cheaters has been confirmed to be genuine. As if that wasn't bad enough, the 10 gigabytes of data—compressed, no less—is far more wide ranging than almost anyone could have imagined.

Researchers are still pouring over the unusually large dump, but already they say it includes user names, first and last names, and hashed passwords for 33 million accounts, partial credit card data, street names, and phone numbers for huge numbers of users, records documenting 9.6 million transactions, and 36 million email addresses. While much of the data is sure to correspond to anonymous burner accounts, it's a likely bet many of them belong to real people who visited the site for clandestine encounters. For what it's worth, more than 15,000 of the e-mail addresses are hosted by US government and military servers using the .gov and .mil top-level domains.

The leak also includes PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees, and a large number of proprietary internal documents. Also found: huge numbers of internal documents, memos, org charts, contracts, sales techniques, and more.

Read 5 remaining paragraphs | Comments

Jul 11 2015

Second PoC exploit for Adobe Flash Player discovered after the hackers-for-hire company breach

Yet another Adobe Flash Player zero-day discovered from the Hacking Team breach.