Facebook says hackers accessed a wide swath of information — ranging from emails and phone numbers to more personal details like sites visited and places checked into — from millions of accounts as part of a security breach the company disclosed two weeks ago.
Twenty-nine million accounts had some form of information stolen. Originally Facebook said 50 million accounts were affected, but that it didn't know if they had been misused.
The news comes at a jittery time ahead of the midterm elections when Facebook is fighting off misuse of its site on a number of fronts. The company said Friday there's no evidence this is related to the midterms.
On Friday Facebook said hackers accessed names, email addresses or phone numbers from these accounts. For 14 million of them, hackers got even more data, such as hometown, birthdate, the last 10 places they checked into or the 15 most recent searches.
An additional 1 million accounts were affected, but hackers didn't get any information from them.
Facebook isn't giving a breakdown of where these users are, but says the breach was "fairly broad." It plans to send messages to people whose accounts were hacked.
Facebook said third-party apps that use a Facebook login and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
Facebook said the FBI is investigating, but asked the company not to discuss who may be behind the attack. The company said it hasn't ruled out the possibility of smaller-scale attacks that used the same vulnerability.
Facebook has said the attackers gained the ability to "seize control" of those user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs in Facebook's code.
The hackers began with a set of accounts they controlled, then used an automated process to access the digital keys for accounts that were "friends" with the accounts they had already compromised. That expanded to "friends of friends," extending their access to about 400,000 accounts, and went on from there to reach 30 million accounts. There is no evidence that the hackers made any posts or took any other activity using the hacked accounts.
The company said it has fixed the bugs and logged out affected users to reset those digital keys.
At the time, CEO Mark Zuckerberg — whose own account was compromised — said attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
Facebook Vice President Guy Rosen said in a call with reporters on Friday the company hasn't ruled out the possibility of smaller-scale efforts to exploit the same vulnerability that the hackers used before it was disabled.
The company has a website its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen. It will also provide guidance on how to spot and deal with suspicious emails or texts. Facebook will also send messages directly to those people affected by the hack.
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
"Those personal details could be very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password, etc.," he said. "Facebook should provide all those customers free credit monitoring to make sure the damage is minimised."
Thomas Rid, a professor at the Johns Hopkins University, also said the evidence, particularly the size of the breach, seems to point to a criminal motive rather than a sophisticated state operation, which usually targets fewer people.
"This doesn't sound very targeted at all," he said. "Usually when you're looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they're going after."
source : https://www.newslagatar.com/2018/10/facebook-says-hackers-accessed-personal.html
Related
Anonymous Caller? New Service Says, Not Any More
By Kevin Poulsen February 16, 2009 | 11:43:10 PM
Categories: Hacks and Cracks
A new service set for launch Tuesday allows cellphone users to unmask the Caller ID on blocked incoming calls, obtaining the phone number, and in some cases the name and address, of the no-longer-anonymous caller.
The service, called TrapCall, is offered by New Jersey's TelTech systems, the company behind the controversial SpoofCard Caller ID spoofing service. The new service is likely to be even more controversial — and popular.
"What’s really interesting is that they’ve totally taken the privacy out of Caller ID," says former hacker Kevin Mitnick, who alpha-tested the service.
TrapCall's basic unmasking service is free, and includes the option of blacklisting unwanted callers by phone number. It also allows you to listen to your voicemail over the web. It's currently available to AT&T and T-Mobile subscribers, with support for the other major carriers due within weeks, says TelTech president Meir Cohen.
"It’s not meant for spies, it’s not meant for geeks, it’s not meant for any specific target audience,” Cohen says. "Everybody hates getting blocked calls, and in this day and age they want to know who’s calling, and they want the option of taking the call or not."
Consumers have had the option of shielding their number from display since Caller ID was introduced in the early 1990s, either by dialing *-6-7 before placing a call, or asking their carrier for blanket anonymity for their line. But TrapCall takes advantage of a loophole in Caller ID blocking that’s long benefited corporate phone customers: Namely, calls to toll-free numbers are not blocked, because those calls are paid for by the recipient.
TrapCall instructs new customers to reprogram their cellphones to send all rejected, missed and unanswered calls to TrapCall’s own toll-free number. If the user sees an incoming call with Caller ID blocked, he just presses the button on the phone that would normally send it to voicemail. The call invisibly loops through TelTech’s system, then back to the user’s phone, this time with the caller’s number displayed as the Caller ID.
The caller hears only ringing during this rerouting, which took about six seconds in Wired.com's test with an iPhone on AT&T. Rejecting the call a second time, or failing to answer it, sends it to the user’s standard voicemail.
The service comes as bad news to advocates for domestic violence victims, who fought hard to make free blocking an option in the early days of Caller ID. "I have huge concerns about that,” says Cindy Southworth, director of technology at the National Network to End Domestic Violence, in Washington, D.C. Southworth fears that abusers will use the new service to locate partners fleeing a violent relationship.
In a notable case in 1995, a Texas man named Kevin Roberson shot his ex-girlfriend to death after locating her through the Caller ID device on her roommate's phone line.
The problem is serious, because domestic violence victims who've fled an abusive relationship often have to stay in contact with their abuser by phone, particularly in situations where the former couple share custody of their children,” Southworth says.
"The judge will require that the victim contact the offender to discuss where they’re dropping the children off, for example," says Southworth. "And there’s often court-mandated phone contact between the abusive partner and the victim." In those cases the victims often rely on Caller ID blocking to keep their former partner from knowing where they’re living.
Cohen dismisses that concern, arguing that Caller ID blocking was never secure to begin with. "It’s very simple for somebody to forward a phone to an 800 number in their office, and right there, they’re picking up the phone number of the person who is calling," he says. At least now the false illusion of Caller ID privacy will be dispelled by TrapCall, he adds.
In addition to the free service, branded Fly Trap, a $10-per-month upgrade called Mouse Trap provides human-created transcripts of voicemail messages, and in some cases uses text messaging to send you the name of the caller — information not normally available to wireless customers. Mouse Trap will also send you text messages with the numbers of people who call while your phone was powered off, even if they don’t leave a message.
With the $25-a-month Bear Trap upgrade, you can also automatically record your incoming calls, and get text messages with the billing name and street address of some of your callers, which TelTech says is derived from commercial databases.
TelTech is no stranger to controversy. Its Spoofcard product lets customers send any phone number they want as their Caller ID. Among other things, the spoofing service has been used by thieves to activate stolen credit cards, by hackers to access celebrities’ voicemail boxes, and by telephone hoaxsters to stage a dangerous prank called "swatting," in which they spoof an enemy’s phone number while calling the police with a fake hostage situation. The goal of swatting — realized in hundreds of cases around the country — is to send armed cops bursting into the victim's home.
Cohen’s company has cooperated in law enforcement investigations of Spoofcard abuse, which have led to several prosecutions and convictions. Despite the spoofing-linked crimes, he insists that most Spoofcard users are just privacy-conscious consumers, including celebrities, government officials, private investigators and even spousal abuse victims and shelters.
He also expects his new business will be good for his old one.
“The only way to block your number after this is released is to use Spoofcard,” he says with a laugh.
© 2008 CondéNet, Inc. All rights reserved.
OK, it's about time that I reviewed my email hosting options, I am currently paying $10 a month to exchangemymail.com for exchange 2k3 hosting (200MB mailbox). The main reason I went with that company was at the time they were the only ones I could find that offered postini filtered email accounts for one user only (I use it for my personal phone not just buisiness).
Top notch spam filtering is my #1 priority as I have had evilc.com and the [email protected] email address for nigh on 20 years now so I get a *lot* of spam.
However, since I originally took out the account, google bought postini, and now it seems that you can pay google $6 a year for postini filtering and bolt it onto any email account (You need a domain, which I have).
I am not unhappy with exchangemymail.com's service at all, but I think I can maybe get a better deal now.
So... looking for input on the subject.
Here are some points worth noting:
I currently use windows mobile, but I am maybe getting an android phone too soon, so a system that works well on both would be nice.
I use the same account on my desktop as my phone and I will not change this - it has to be as good a desktop solution as it is a phone solution.
Unification of email / contacts / tasks etc and OTA synching of these is vital. With my current system, I can enter a contact into outlook, pick up my (untethered) phone and the contact will be in there within seconds. I want to keep this.
I want the push email to be as real-time as possible. None of this every 5 or 10 minutes rubbish. I hold conversations via email, so it needs to be fast.
I am not hugely happy with the desktop exchange solution, it takes ~2-3 mins to load up outlook, and I have to enter my password too. However, I am not a huge fan of web interfaces for email / contacts etc.
I suppose it doesnt have to be postini spam filtering, but it needs to be really, really good.
Not looking for super cheap / free solutions from tiny outfits. I want to sleep sound at night knowing that my data is safe. (Yes I know about the google / sidekick fiasco but that isn't the norm for google)
I am in the UK, so hosting in places where the exchange rate is favourable makes sense
The Internet was designed to be a free network. “Don’t be evil” is the formal corporate motto of Google.However a subjective good from Internet institutions can't guarantee Internet freedom.What the true freedom? The true freedom is assuming all the participators are evil, get rid of all the participators capacity for evil through architectural design.
Apps often used to deliver sensitive data or used for personal and corporate communications, so the data stored by the service provider should be encrypted end-to-end, There are many App messaging applications like Line, WeChat, KakaoTalk, and many more, but they are not end-to-end encrypted messengers. Time is loudly announcing the need to shift to some alternates who provide end-to-end encryption for communication between two devices and respect your Privacy. There are a number of solutions available includes for privacy like, Telegram offers end-to-end encryption and have a 'Secret Chat' feature, that self-destruct messages after the conversation, Sure spot allows you to send and receive text messages, pictures and audio clip with end-to-end encryption, Threema use end-to-end encryption and gives you all features like text messaging, image sharing, and voice chat as well, Text Secure and Red Phone also provides end-to-end encryption for messaging and voice calls respectively. Red Phone allows you to upgrade a normal call to secure call whenever it senses the possibility to fulfill the requirements.
Therefore we have developed a complete decentralized, third-party End to End encrypted communication APP.
What is “a complete decentralized” concept?
IMAP/SMTP are standard communication protocol for retrieving and sending emails from mail server, our APP users communicate via the protocols, as if they are sending emails.
What is “third-party End to End encrypted communication”?
Since we are using zero-server solution, the developer themselves can't read the communication information from users at all. We encrypt the E-mail communication. The advantage of third-party encryption is no one can read APP user's communication information without permission, include APP official, operator, E-mail service provider and so on.
Why “APP”?
We used smart phone longer than sitting in front of a PC. We hope to develop a 100% free of charge future-proof secure communication app that is convenient and suit for long-hour usage.
After completing the APP, as long as there is user, nobody include us can prohibit this product from being used. As in nobody can prohibit the use of email protocol. Furthermore there will be no server deployed to manage this APP. It enables free flow of APP in conformity with the spirit of free Internet environment.
freedom is only an illusion. Your never free, I'll never be free, no living thing can ever be truly free, as every action is determined (or can be seen as determined a posteriori) by various factots. So, as the Internet is constructed by humans, logically it won't be free as well.
Stop talking about freedom and give us a secure App
this is not meant negatively.
Regards
Needs to be idiot proof, lightweight and versatile. Good luck.
Sent from a stolen phone!
Right now I exclusively use Telegram for participating in online communities that interest me, where I do not know any of the other users in real life. When I get notifications that someone I know in real life, whose phone number is in my contacts, has joined Telegram it has bothered me that this blurs the line between my real life identity and the online pseudonym I use - as I expect that they see my username and it may be quite confusing to them who I am.
I have also been reading how Telegram is increasing in popularity which is great but if there is widespread general adoption separating my real life contacts from my online communities at a late point will be even more difficult.
It seems the best option would be a second account but that every Telegram account requires a unique phone number - is there some way around this, or is there some way I can set up a second account without having to set reactivate an old SIM by topping it up, and continuing to top it up every few months to keep the provider from - required at least by Vodafone Ireland? Perhaps there is some kind of online SMS phone number I could use free or for a once off fee that would allow me to see receive email or web based SMS?
I’m using Truecaller for 10 years and I can confirm that it is NOT SAFE.
You install Truecaller. It forces you to make your phone and messaging default to Truecaller. Now you have shared all the phone numbers and messages with Truecaller. Within few days, you’ll notice more spam calls, sms and emails compared to not having Truecaller in first place.
This is era of Digital marketing. Businesses are being done online. There are product sellers who want to reach you to push their products but they don't know your number, profession and email address. They reach hackers or they themselves manage to get your contact information. Hackers hacks the data from Truecaller's server and sell them to these digital marketing guys. The data can contain your Phone number, Profession, messages, email address etc so that they can send you messages and will call you to sell their products. If you observe, Truecaller also gives an option to add your profession, email address, home address besides just phone number. Hackers and sellers got it all. You keep getting more and more spam calls, Emails and messages. If these spam call and messages bother you so much then Uninstall Truecaller and in few days you feel the difference, no more spam calls and messages.
Truecaller is created for business and its a company now. It takes all your contact information. Hackers get this information and sell it to businesses/buyers. You get more spam calls, emails and sms. To stop this you will have to pay for Truecaller premium. Nice business strategy.
In olden days, there was no Truecaller, if some one calls us and we determine its a spam caller, then we use to save his number with some stupid name, ignore, block or give them warning that we will report to police. Good olden days, your contact information was not being shared world wide. By installing Truecaller, you are inviting stress... more unwanted calls in unwanted time disturbing your sleep, leisure and peace of mind.
I can recommend Eyecon as an alternative to TrueCaller as it will not read all your messages plus hidden surprise, you find out!