Earlier this week, T-Mobile confirmed a data breach that affects at least 48 million people, a number that could still rise as the company continues its investigation. The data set contains particularly sensitive information like social security numbers, driver’s license details, and reportedly even the unique IMEI numbers associated with each smartphone. Not only that, but the vast majority of victims in the breach so far aren’t even T-Mobile customers; they’re instead former or prospective customers who at some point applied for credit with the carrier. A class action suit has already been filed although the arbitration clause in T-Mobile customer agreements may be a hurdle in the road to restitution.
We also took a look at a worrisome vulnerabilities in ThroughTek Kalay, a software developer kit for a platform that powers tens of millions of video internet-of-things devices. That means baby monitors, security cameras, and the like. Researchers showed how attackers could use the flaws to watch video feeds in real time or shut them down with denial-of-service attacks. ThroughTek sent out an update in 2018 that provided ways to mitigate the attack, but not clear instructions on how or why customers should implement them.
Google similarly made certain changes to Workspace, the suite of cloud-based productivity software formerly known as G Suite, after a 2017 Google Docs worm showed how vulnerable the platform was to scammers. But a security researcher has demonstrated that it’s still very possible for a dedicated hacker to abuse the system.
Dozens of civil rights groups are up in arms over Apple’s controversial system that would in part use people’s iPhones to help find child sexual abuse material. China has long been a propaganda powerhouse and has lately turned its attention to the BBC, attacking various lines of reporting that run counter to the country’s interests. And we made a quick guide for how to send disappearing messages in the most popular chat apps.
And there’s more! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories, and stay safe out there.
It’s been a big month for cryptocurrency theft! Last week it was Poly Network, which saw a hacker abscond with over $610 million in various digital coins before ultimately returning most of it. Now it’s apparently Liquid’s turn. The Japanese cryptocurrency exchange said this week that its “warm” wallets—those connected to the internet, versus “cold” wallets, which are not—were compromised in a hack that resulted in about $97 million worth of bitcoin, ethereum, and other coins being stolen. Liquid said it moved some assets into cold wallets as a response, but the damage had been done.
Elliot Carter operates a site called WashingtonTunnels.com, which really delivers on its name. The “DC Underground Atlas” offers a detailed look at the US capital’s subterranean passageways. As you might imagine, that usually draws a steady stream of enthusiasts rather than seeing big traffic spikes. That is, until a few days before rioters stormed the US Capitol building. Around that time, Carter told the DC-area NBC affiliate, he saw a surge in visitors from around the country, many of them incoming from “anonymous message boards, sites and forums named after militias or firearms, or using Donald Trump’s name.” Suspicious! Carter reported the activity to the FBI, and a few days later this happened.
The bad news is that hackers compromised the US Census Bureau in January 2020, in a manner that was preventable and probably a little embarrassing. The good news, or at least less-bad news, is that those hackers didn’t get anywhere near actual census results. But they did gain access to servers thanks to a vulnerability that software company Citrix had disclosed a few weeks prior, on the day after a proof of concept for an exploit of that flaw was published on GitHub. According to a timeline provided by the Office of the Inspector general, the Census Bureau firewall prevented the attackers from communicating with their command and control server after a couple of days, but it took the agency weeks to full mitigate in intrusion.
Apple takes a notoriously hard line against leaks, deploying a team of investigators to minimize the spilling of corporate secrets and minimizing the fallout. They’ve also apparently recruited at least one member of the community that trades in illicit Apple documents and hardware, according to a new report from Motherboard. The informant says he reached out to Apple, rather than the other way around, but ultimately soured on their relationship. It’s worth a read for insight both into Apple’s anti-leak squad and the people they try to hunt down.
More Great WIRED Stories