Skip to content

Facebook’s Data Deals Are Under Criminal Investigation

Throw the book at em, and wind down this house of despicable spies and greedy exploiters of their (arguably gullible) flock

Quote

Federal prosecutors are conducting a criminal investigation into data deals Facebook struck with some of the world’s largest technology companies, intensifying scrutiny of the social media giant’s business practices as it seeks to rebound from a year of scandal and setbacks.

A grand jury in New York has subpoenaed records from at least two prominent makers of smartphones and other devices, according to two people who were familiar with the requests and who insisted on anonymity to discuss confidential legal matters. Both companies had entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users.

The companies were among more than 150, including Amazon, Apple, Microsoft and Sony, that had cut sharing deals with the world’s dominant social media platform. The agreements, previously reported in The New York Times, let the companies see users’ friends, contact information and other data, sometimes without consent. Facebook has phased out most of the partnerships over the past two years.

A grand jury in New York has subpoenaed records from at least two prominent makers of smartphones and other devices, according to two people who were familiar with the requests and who insisted on anonymity to discuss confidential legal matters. Both companies had entered into partnerships with Facebook, gaining broad access to the personal information of hundreds of millions of its users.


Yep, no surprise here. The invasion of privacy extends much further including the oligopolist, and in many cases, outright monopolies in the mobile phone carriers, ISPs and beyond. When will the U.S. get serious about anti-trust enforcement in the tech industry?

“We are cooperating with investigators and take those probes seriously,” a Facebook spokesman said in a statement. “We’ve provided public testimony, answered questions and pledged that we will continue to do so.”

[Read Brian Chen’s story on what he found when he downloaded his Facebook data.]

It is not clear when the grand jury inquiry, overseen by prosecutors with the United States attorney’s office for the Eastern District of New York, began or exactly what it is focusing on. Facebook was already facing scrutiny by the Federal Trade Commission and the Securities and Exchange Commission. And the Justice Department’s securities fraud unit began investigating it after reports that Cambridge Analytica, a political consulting firm, had improperly obtained the Facebook data of 87 million people and used it to build tools that helped President Trump’s election campaign.

The Justice Department and the Eastern District declined to comment for this article.

The Cambridge investigation, still active, is being run by prosecutors from the Northern District of California. One former Cambridge employee said investigators questioned him as recently as late February. He and three other witnesses in the case, speaking on the condition of anonymity so they would not anger prosecutors, said a significant line of inquiry involved Facebook’s claims that it was misled by Cambridge.

In public statements, Facebook executives had said that Cambridge told the company it was gathering data only for academic purposes. But the fine print accompanying a quiz app that collected the information said it could also be used commercially. Selling user data would have violated Facebook’s rules at the time, yet the social network does not appear to have regularly checked that apps were complying. Facebook deleted the quiz app in December 2015.

The disclosures about Cambridge last year thrust Facebook into the worst crisis of its history. Then came news reports last June and December that Facebook had given business partners — including makers of smartphones, tablets and other devices — deep access to users’ personal information, letting some companies effectively override users’ privacy settings.

The sharing deals empowered Microsoft’s Bing search engine to map out the friends of virtually all Facebook users without their explicit consent, and allowed Amazon to obtain users’ names and contact information through their friends. Apple was able to hide from Facebook users all indicators that its devices were even asking for data.

Privacy advocates said the partnerships seemed to violate a 2011 consent agreement between Facebook and the F.T.C., stemming from allegations that the company had shared data in ways that deceived consumers. The deals also appeared to contradict statements by Mark Zuckerberg and other executives that Facebook had clamped down several years ago on sharing the data of users’ friends with outside developers.

F.T.C. officials, who spent the past year investigating whether Facebook violated the 2011 agreement, are now weighing the sharing deals as they negotiate a possible multibillion-dollar fine. That would be the largest such penalty ever imposed by the trade regulator.

Facebook has aggressively defended the partnerships, saying they were permitted under a provision in the F.T.C. agreement that covered service providers — companies that acted as extensions of the social network.

The company has taken steps in the past year to tackle data misuse and misinformation. Last week, Mr. Zuckerberg unveiled a plan that would begin to pivot Facebook away from being a platform for public sharing and put more emphasis on private communications.

No guns or lockpicks needed to nick modern cars if they’re fitted with hackable ‘smart’ alarms

Vulnerable kit can immobilise motors and even unlock doors

Quote

Researchers have discovered that “smart” alarms can allow thieves to remotely kill your engine at speed, unlock car doors and even tamper with cruise control speed.

British infosec biz Pen Test Partners found that the Viper Smart Start alarm and products from vendor Pandora were riddled with flaws, allowing an attacker to steal a car fitted with one of the affected devices.

“Before we contacted them, the manufacturers had inadvertently exposed around 3 million cars to theft and their users to hijack,” said PTP in a blog post about their findings. The firm was inspired to start looking at Pandora’s alarms after noticing that the company boasted their security was “unhackable”.

Thanks to an unauthenticated corner of the service’s API and a simple parameter manipulation (an indirect object request, IDOR), PTP said they were able to change a Viper Smart Start user account’s password and registered email address, giving them full control over the app and the car that the alarm system was installed on.

All they had to do was send a POST request to the API with the parameter “email” redefined to one of their choice in order to overwrite the legitimate owner’s email address, thus gaining access and control over the account.

PTP said that in a live proof-of-concept demo they were able to geolocate a target car using the Viper Smart Start account’s inbuilt functionality, set off the alarm (causing the driver to stop and investigate), activated the car’s immobiliser once it was stationary and then remotely unlocked the car’s doors, using the app’s ability to clone the key fob and issue RF commands from a user’s mobile phone.

Even worse, after further API digging, PTP researchers discovered a function in the Viper API that remotely turned off the car’s engine. The Pandora API also allowed researchers to remotely enable the car’s microphone, allowing nefarious people to eavesdrop on the occupants.

They also said: “Mazda 6, Range Rover Sport, Kia Quoris, Toyota Fortuner, Mitsubishi Pajero, Toyota Prius 50 and RAV4 – these all appear to have undocumented functionality present in the alarm API to remotely adjust cruise control speed!”

Both Pandora and Viper had fixed the offending IDORs before PTP went public. The infosec firm noted that modern alarm systems tend to have direct access to the CANbus, the heart of a modern electronic vehicle.

A year ago infosec researchers wailed that car security in general is poor, while others discovered that electronic control units (ECUs), small modular computers used for controlling specific vehicle routines that were done mechanically years ago, were vulnerable to certain types of hack even with the engine off and the car stationary.

That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus

Quote

Updated An unprotected MongoDB database belonging to a marketing tech company exposed up to 809 million email addresses, phone numbers, business leads, and bits of personal information to the public internet, it emerged yesterday.

Today, however, it appears the scope of that security snafu may have been underestimated.

According to cyber security biz Dynarisk, there were four databases exposed to the internet – rather than just the one previously reported – bringing the total to potentially more than two billion records weighing in at 196GB rather than 150GB.

Anyone knowing where to look on the ‘net would have been able to spot and siphon off all that data, without any authentication.

“There was one server that was exposed to the web,” Andrew Martin, CEO and founder of DynaRisk, told The Register on Friday. “On this server were four databases. The original discovery analysed records from mainEmailDatabase. The additional three databases were hosted on the same server, which is no longer accessible.

“Our analysis was conducted over all four databases and extracted over two billion email addresses which is more than the 809 million first discussed.”

The databases were operated by Verifications.io, which provides enterprise email validation – a way for marketers to check that email addresses on their mailing lists are valid and active before firing off pitches. The Verifications.io website is currently inaccessible.

The database first reported included the following data fields, some of which, such as date of birth, qualify as personal information under various data laws:

Email Records (emailrecords): a JSON object with the keys id, zip, visit_date, phone, city, site_url, state, gender, email, user_ip, dob, firstname, lastname, done, and email_lower_sha265.
Email With Phone (emailWithPhone): No example provided but presumably a JSON object with the two named attributes.
Business Leads (businessLeads): a JSON object with the keys id, email, sic_code, naics_code, company_name, title, address, city, state, country, phone, fax, company_website, revenue, employees, industry, desc, sic_code_description, firstname, lastname, and email_lower_sha256.
…..

Over a Dozen Children’s and Consumer Advocacy Organizations Request Federal Trade Commission to Investigate Facebook for Deceptive Practices

It is not just me Tilting at Windmills as some have suggested. The Facebook and related social media threats are real – especially to our children.

Contact:
David Monahan, CCFC: david@commercialfreechildhood.org; (617) 896-9397
Lisa Cohen, Common Sense: lcohen@commonsense.org; (310) 395-2544

Over a Dozen Children’s and Consumer Advocacy Organizations Request Federal Trade Commission to Investigate Facebook for Deceptive Practices

SAN FRANCISCO, CA — February 21, 2019 — Earlier today, Common Sense Media, Campaign for a Commercial-Free Childhood, Center for Digital Democracy, and over a dozen organizations called upon the Federal Trade Commission (FTC) to investigate whether Facebook has engaged in unfair or deceptive practices in violation of Section 5 of the Federal Trade Commission Act and the Children’s Online Privacy Protection Act (COPPA).

“Facebook’s practice of ‘friendly fraud’ and referring to kids as ‘whales’ shows an ongoing pattern of the company putting profits over people. Kids, under any circumstances, should not be the target of irresponsible and unethical marketing tactics,” said Jim Steyer, CEO of Common Sense Media. “Facebook has a moral obligation to change its culture toward practices that foster the well-being of kids and families, and the FTC should ensure Facebook is acting responsibly.”

The FTC complaint is in response to unsealed documents from a 2012 class action lawsuit that Facebook settled in 2016. Upon a Freedom of Information Act request filed by the Center for Investigative Reporting, internal documents at Facebook revealed the company knowingly duped children into making in-game purchases and made refunds almost impossible to obtain. Facebook employees called the practice “friendly fraud” and referred to kids who spent large amounts of money as “whales,” a casino-industry term for super high rollers.

Advocates are concerned that Facebook employed unfair practices by charging children for purchases made without parental consent and often without parental awareness. According to Section 5 of the Federal Trade Commission Act, “unfair” practices are defined as those that “cause or [are] likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition” (15 U.S.C. Sec. 45(n)). Advocates point to court documents to demonstrate substantial injury to consumers, including one teenager who incurred $6,500 of charges in just a few weeks, and request rates for refunds were 20 times higher than the usual rate of refund requests.

“Facebook’s scamming of children is not only unethical and reprehensible – it’s likely a violation of consumer protection laws,” said Josh Golin, Executive Director of Campaign for Commercial-Free Childhood. “Time and time again, we see that Facebook plays by its own rules regardless of the cost to children, families and society. We urge the FTC to hold Facebook accountable.”

Additionally, the complaint asks the FTC to investigate whether Facebook violated COPPA. Unsealed documents show that Facebook was aware that many of the games it offered were popular with children under age 13 and were in fact being played by children under 13. COPPA makes it unlawful for an “operator of a Web site or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child” unless it has obtained verifiable parental consent and provided appropriate disclosures.

Advocates are calling for the Commission to recognize the particular vulnerability of young people and investigate whether Facebook is complying with Section 5 and COPPA.

Groups signing on to the complaint include Common Sense Media, Center for Digital Democracy, Campaign for a Commercial-Free Childhood, Consumer Action, Electronic Privacy Information Center, Consumer Federation of America, Children and Screens, Badass Teachers Association, Inc., Media Education Foundation, New Dream, Parents Television Council, Peace Educators Allied for Children Everywhere (P.E.A.C.E.), Parent Coalition for Student Privacy, Public Citizen, Story of Stuff, TRUCE, and Defending the Early Years.

The full complaint can be read here.

It’s time to hold Facebook accountable

From the Campaign for a Commercial-Free Childhood -CCFC educates the public about commercialism’s impact on kids’ well being and advocates for the end of child-targeted marketing.

Quote

In January, it was revealed that Facebook knowingly defrauded children and their families out of millions of dollars by intentionally misleading children into making in-app purchases. The company referred to children who unintentionally spent thousands of dollars as “whales,” a casino industry term for high-rollers, and refused to refund unauthorized purchases. Not only did the company not refund these unauthorized charges, they encouraged them.

As we wrote at the time, these policies and attitudes toward kids show that Facebook is unfit to make products for children. Now, we’re joining our allies at Common Sense Media, Center for Digital Democracy, and 14 other organizations, asking the FTC to investigate these clearly fraudulent and deceptive practices. Facebook has proven again and again that it will stop at nothing to increase profits, even at the expense of children.

Read our press release here, and the full text of our FTC complaint here.

Zuck’s asleep at the wheel (or ZZZZing in his wallet) – This time Brexit

Note to Zuckerberg, if you cannot identify and add accountability to your advertisers, then just no! You are the real zucker here.

Britain’s Future has spent £340,000 promoting hard exit – but no one knows who’s funding it

The single biggest known British political advertiser on Facebook is a mysterious pro-Brexit campaign group pushing for a no-deal exit from the EU. The revelation about Britain’s Future, which has never disclosed the source of its funding or organisational structure, has raised concerns about the influence of “dark money” in British politics.

Hmmmm…smells like a wind blowing from the east.

The little-known campaign group has spent more than £340,000 on Facebook adverts backing a hard Brexit since the social network began publishing lists of political advertisers last October, making it a bigger spender than every UK political party and the government combined.

However, there is no information available about who is ultimately paying for the adverts, highlighting a key flaw in Facebook’s new political transparency tools.

The sophisticated campaign includes thousands of individual pro-Brexit adverts, targeted at voters in the constituencies of selected MPs. The adverts urge voters to email their local representative and create the impression of a grassroots uprising for a no-deal Brexit. The MPs then receive emails, signed by a “concerned constituent”, demanding a hard Brexit. The emails do not mention the involvement of an organised campaign group.

Britain’s Future’s public presence contains links to just two individuals: an ex-BBC Three sitcom writer turned journalist, and, indirectly, a former BNP candidate who lives on a farm called Rorke’s Drift in the Yorkshire dales.

The site’s public face is Tim Dawson, who created the sitcom Coming of Age while still in his teens before going on to contribute to Two Pints of Lager and a Packet of Crisps. In recent years he has stood for election to Manchester city council as a Conservative candidate before last year taking control of Britain’s Future.

However, there is no information available about who is ultimately paying for the adverts, highlighting a key flaw in Facebook’s new political transparency tools.

..

Under Facebook’s transparency rules, a representative of Britain’s Future would have been required to provide a valid UK postal address before placing political adverts, but this information was not made public. There are no checks on the ultimate source of any funds.

Facebook said it was only thanks to its new political ad transparency tools, introduced after the EU referendum and soon to be rolled out across the UK, that it was possible to see the extent of political advertising placed by Britain’s Future. There is no equivalent database for Google, Twitter or other online advertisers.

(Good point Facebook, in all fairness, the same rules need to apply accross all social media!)

Dawson’s pro-Brexit campaign group has spent more than a third of a million pounds on targeted Facebook and Instagram adverts in just a few months, including more than £50,000 last week alone, urging voters to email their local MP and tell them to get Britain out of the EU. An further unknown sum has also been spent buying up adverts alongside Google search results related to Brexit, suggesting that the total amount spent by his organisation on online campaigning could be much higher.

Throughout all this, Dawson, who these days makes a living from writing occasional pieces for the Daily Telegraph and the Spiked website, has declined to comment on the source of his funds, other than to tell the BBC that he was “raising small donations from friends and fellow Brexiteers”. There was no answer at his flat in Manchester and he has repeatedly declined to answer questions on how he has access to levels of funding that dwarf many high-profile campaigns.

According to its Facebook page, there are at least five individuals involved in the administration of Britain’s Future, although there are few clues as to who they are. Its “About Us” page contains a map centred on a remote building in the Yorkshire Dales north of Harrogate. This is Rorke’s Drift farm, named after the 1879 battle in South Africa where a small group of British soldiers made a successful last stand against thousands of Zulu warriors, an incident later depicted in the Michael Caine film Zulu.

The farm is home to Colin Banner, a former British National Party candidate. When contacted by the Guardian, he insisted that he had no knowledge of Dawson, was not aware of Britain’s Future, and was not involved in placing the adverts.

In a rare statement, Dawson declined to answer questions on funding or who was behind Britain’s Future. He said it was pure coincidence that his website was pointing to the remote home of a one-time BNP candidate and thanked the Guardian for bringing it to his attention.

“Britain’s Future has never associated with, nor would it ever associate with Colin Banner, or any BNP member. I have never met with, spoken to, or associated with Colin Banner, or any BNP member, nor would I want to. To state otherwise would be untrue.

“Designing the website required selecting a point on the map of the UK. The coordinates were randomly selected so the map of the UK would display centrally on the webpage. It was solely a design decision.

“The purpose of Britain’s Future is to represent the views of 17.4 million people who voted to leave the European Union – regardless of background. This is about delivering on the result of the referendum.”

No law is being broken by Britain’s Future’s campaigning. Outside of an election period, it is legal for any individual or campaign group to pay to promote political material without declaring where the funds come from. Britain’s Future is not a political party and does not appear to have any intention of putting forward candidates in elections, so is not regulated by laws requiring large political donations to be publicly declared.

Even the anti-Brexit People’s Vote campaign for a second referendum, backed with financing from the billionaire George Soros, has spent less on Facebook than Britain’s Future. Its website is essentially a personal blog on arguments for Brexit, with a discreet PayPal button soliciting donations.

Under Facebook’s transparency rules, a representative of Britain’s Future would have been required to provide a valid UK postal address before placing political adverts, but this information was not made public. There are no checks on the ultimate source of any funds.

Facebook said it was only thanks to its new political ad transparency tools, introduced after the EU referendum and soon to be rolled out across the UK, that it was possible to see the extent of political advertising placed by Britain’s Future. There is no equivalent database for Google, Twitter or other online advertisers.

Dawson previously stood as the Conservative council candidate in Manchester’s Hulme ward last year and finished a distant sixth. He gave an interview to Country Squire Magazine, explaining that he had recently embraced politics after becoming exasperated with the leftwing bias of the BBC: “There are lots and lots of Conservatives in this country and they deserve to be represented in our cultural landscape.”

Last month, a report from the Department for Digital, Culture, Media and Sport warned that electoral law was out of date and vulnerable to manipulation by hostile forces, and that the need to update it was urgent.

Mark Zuckerberg Says He’ll Shift Focus to Private Sharing

Bullshit!

Facebook’s business model is selling ads and massive sharing of data to profile user. When I go to Acuwaether, for one example, guess who they link to, you guessed it Facebook. Don’t believe this low life lying excuse for a person, ie. Zuckerberg. Just say no to Facebook, cure your addiction, and get on with your life.

Quote

SAN FRANCISCO — Social networking has long been predicated on people sharing their status updates, photos and messages with the world. Now Mark Zuckerberg, chief executive of Facebook, plans to start shifting people toward private conversations and away from public broadcasting.

Mr. Zuckerberg, who runs Facebook, Instagram, WhatsApp and Messenger, on Wednesday expressed his intentions to change the essential nature of social media. Instead of encouraging public posts, he said he would focus on private and encrypted communications, in which users message mostly smaller groups of people they know. Unlike publicly shared posts that are kept as users’ permanent records, the communications could also be deleted after a certain period of time.

He said Facebook would achieve the shift partly by integrating Instagram, WhatsApp and Messenger so that users worldwide could easily message one another across the networks. In effect, he said, Facebook would change from being a digital town square to creating a type of “digital living room,” where people could expect their discussions to be intimate, ephemeral and secure from outsiders.

“We’re building a foundation for social communication aligned with the direction people increasingly care about: messaging each other privately,” Mr. Zuckerberg said in an interview on Wednesday. In a blog post, he added that as he thought about the future of the internet, “I believe a privacy-focused communications platform will become even more important than today’s open platforms.”

Facebook’s plan — in which the company is playing catch-up to how people are already communicating digitally — raises new questions, not the least of which is whether it can realistically pull off a privacy-focused platform. The Silicon Valley giant, valued at $490 billion, depends on people openly sharing posts to be able to target advertising to them. While the company will not eradicate public sharing, a proliferation of private and secure communications could potentially hurt its business model.

Facebook also faces concerns about what the change means for people’s data and whether it was being anti-competitive by knitting together WhatsApp, Instagram and Messenger, which historically have been separate and operated autonomously.

Mr. Zuckerberg was vague on many details of the shift, including how long it would take to enact and whether that meant Instagram, WhatsApp and Messenger would share user information and other contact details with one another. He did not address how private, encrypted communications would affect Facebook’s bottom line.

But Mr. Zuckerberg did acknowledge the skepticism that Facebook would be able to change. “Frankly we don’t currently have a strong reputation for building privacy protective services, and we’ve historically focused on tools for more open sharing,” he wrote in his blog post. “But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.”

Facebook’s move is set to redefine how people use social media and how they will connect with one another. That has societal, political and national security implications given the grip that the company’s services have on more than 2.7 billion users around the world. In some countries, Facebook and its other apps are often considered as being the internet.
Editors’ Picks
Her Husband Did the Unthinkable. This Is a Play About Everything After.
She Helped Deliver Hundreds of Babies. Then She Was Arrested.
Bigger, Saltier, Heavier: Fast Food Since 1986 in 3 Simple Charts

Mr. Zuckerberg’s decision follows years of scandal for the social network, much of it originating from public sharing of posts. Foreign agents from countries like Russia have used Facebook to publish disinformation, in an attempt to sway elections. Some communities have used Facebook Groups to strengthen ideologies around issues such as anti-vaccination. And firms have harvested the material that people openly shared for all manner of purposes, including targeting advertising and creating voter profiles.

Even WhatsApp, which has long been encrypted, has grappled with the distribution of misinformation through its service, sometimes with deadly consequences.

All of that has put Facebook in the spotlight, which in turn has badly damaged the company’s reputation and created mistrust with users. Regulators have intensified scrutiny of Facebook’s privacy practices, with the Federal Trade Commission considering a multibillion-dollar fine against the company for violating a 2011 privacy consent decree. Last week, the agency said it would create a task force to monitor big tech companies and potential anti-competitive conduct.

Mr. Zuckerberg has repeatedly tried to rid Facebook of toxic content, disinformation and other problems. At one point, he emphasized prioritizing what friends and family shared on Facebook and de-emphasizing content from publishers and brands. He has also said that the company will hire more people to comb through and remove abusive or dangerous posts, and that it is working on artificial intelligence tools to do that job.

But none of those moves addressed the issue of public sharing. And in many ways, consumers were already moving en masse toward more private methods of digital communications.

Snap, the maker of the Snapchat app, has built a young, loyal audience by allowing people to share messages and stories for a finite period of time, for example. Other companies, like the local social networking company Nextdoor, focus on the power of group and community communications. And closed, private messaging services like Signal and Telegram have also become more prominent.

Evan Spiegel, chief executive of Snap, hinted at the problems that Facebook’s News Feed had created last week at a New York Times conference. Because of the way social networks had been constructed for people to publicly share content, he said, “things that are negative actually spread faster and further than things that are positive.” He later added, “You know, I certainly think there’s a lot of opportunity to sort of course-correct here.”
Interested in All Things Tech?

The Bits newsletter will keep you updated on the latest from Silicon Valley and the technology industry.

In many ways, Mr. Zuckerberg is now emulating a strategy popularized by Tencent, the Chinese internet company that makes the messaging app WeChat. WeChat has become the de facto portal to the rest of the internet for Chinese citizens because through the app, users can perform a multitude of tasks, like pay for items, communicate with friends and order takeout.

“Facebook is focused on mobile and messaging as the key conduit for people to communicate online, and thereby to communicate with Facebook,” said Ashkan Soltani, an independent privacy and security researcher who was a former chief technologist at the F.T.C. “The chat app essentially becomes your browser.”

Mr. Zuckerberg said that even though he would focus on private and secure conversations, the public forums for communication popularized by Facebook would continue. In addition, WhatsApp, Instagram and Messenger will remain stand-alone apps, even as their underlying messaging infrastructures are woven together, The Times previously reported. The work, which will include adding end-to-end encryption across all the apps, is in the early stages.

Mr. Zuckerberg said this overall shift would ultimately create new opportunities for Facebook.

“We’re thinking about private messaging in a way that we can build the tools to make that better,” he said in the interview. “There’s all kinds of different commerce opportunities, especially in developing countries. There’s more private tools to be built around peoples’ location. There’s just a whole set of broader utilities we can build that fit this more intimate mode of sharing.”

Public Enemy #1: Facebook

What a disgusting despicable bunch of excuses for human beings: Zuckerberg, Sandberg and their ilk. They rape you of your privacy and hire lowly lobbyists to corrupt politicians to protect their business model. What scum of the earth.

If you work for Facebook, I would think about looking for a new job. Their days are (hopefully) numbered.

Quote

Revealed: Facebook’s global lobbying against data privacy laws

Facebook has targeted politicians around the world – including the former UK chancellor, George Osborne – promising investments and incentives while seeking to pressure them into lobbying on Facebook’s behalf against data privacy legislation, an explosive new leak of internal Facebook documents has revealed.

The documents, which have been seen by the Observer and Computer Weekly, reveal a secretive global lobbying operation targeting hundreds of legislators and regulators in an attempt to procure influence across the world, including in the UK, US, Canada, India, Vietnam, Argentina, Brazil, Malaysia and all 28 states of the EU. The documents include details of how Facebook:

• Lobbied politicians across Europe in a strategic operation to head off “overly restrictive” GDPR legislation. They include extraordinary claims that the Irish prime minister said his country could exercise significant influence as president of the EU, promoting Facebook’s interests even though technically it was supposed to remain neutral.

• Used chief operating officer Sheryl Sandberg’s feminist memoir Lean In to “bond” with female European commissioners it viewed as hostile.

• Threatened to withhold investment from countries unless they supported or passed Facebook-friendly laws.

He noted it was “not a secret” that he had helped launch Sandberg’s book at 11 Downing Street and added: “The book’s message about female empowerment was widely praised, not least in the Guardian and the Observer.”

In fact, the memo reveals that Sandberg’s feminist memoir was perceived as a lobbying tool by the Facebook team and a means of winning support from female legislators for Facebook’s wider agend

The documents appear to emanate from a court case against Facebook by the app developer Six4Three in California, and reveal that Sandberg considered European data protection legislation a “critical” threat to the company. A memo written after the Davos economic summit in 2013 quotes Sandberg describing the “uphill battle” the company faced in Europe on the “data and privacy front” and its “critical” efforts to head off “overly prescriptive new laws”.

Most revealingly, it includes details of the company’s “great relationship” with Enda Kenny, the Irish prime minister at the time, one of a number of people it describes as “friends of Facebook”. Ireland plays a key role in regulating technology companies in Europe because its data protection commissioner acts for all 28 member states. The memo has inflamed data protection advocates, who have long complained about the company’s “cosy” relationship with the Irish government.

The memo notes Kenny’s “appreciation” for Facebook’s decision to locate its headquarters in Dublin and points out that the new proposed data protection legislation was a “threat to jobs, innovation and economic growth in Europe”. It then goes on to say that Ireland is poised to take on the presidency of the EU and therefore has the “opportunity to influence the European Data Directive decisions”. It makes the extraordinary claim that Kenny offered to use the “significant influence” of the EU presidency as a means of influencing other EU member states “even though technically Ireland is supposed to remain neutral in this role”.

It goes on: “The prime minister committed to using their EU presidency to achieve a positive outcome on the directive.” Kenny, who resigned from office in 2017, did not respond to the Observer’s request for comment.

John Naughton, a Cambridge academic and Observer writer who studies the democratic implications of digital technology, said the leak was “explosive” in the way it revealed the “vassalage” of the Irish state to the big tech companies. Ireland had welcomed the companies, he noted, but became “caught between a rock and a hard place”. “Its leading politicians apparently saw themselves as covert lobbyists for a data monster.”

A spokesperson for Facebook said the documents were still under seal in a Californian court and it could not respond to them in any detail: “Like the other documents that were cherrypicked and released in violation of a court order last year, these by design tell one side of a story and omit important context.”

The 2013 memo, written by Marne Levine, who is now a Facebook senior executive, was cc-ed to Elliot Schrage, Facebook’s then head of policy and global communications, the role now occupied by Nick Clegg. As well as Kenny, dozens of other politicians, US senators and European commissioners are mentioned by name, including then Indian president Pranab Mukherjee, Michel Barnier, now the EU’s Brexit negotiator, and Osborne.

The then chancellor used the meeting with Sandberg to ask Facebook to invest in the government’s Tech City venture, the memo claims, and Sandberg said she would “review” any proposal. In exchange, she asked him to become “even more active and vocal in the European Data Directive debate and really help shape the proposals”. The memo claims Osborne asked for a detailed briefing and said he would “figure out how to get more involved”. He offered to host a launch for Sandberg’s book in Downing Street, an event that went ahead in spring 2013.

Osborne told the Observer: “I don’t think it’s a surprise that the UK chancellor would meet the chief operating officer of one of the world’s largest companies … Facebook and other US tech firms, in private, as in public, raised concerns about the proposed European Data Directive. To your specific inquiry, I didn’t follow up on those concerns, or lobby the EU, because I didn’t agree with them.”

He noted it was “not a secret” that he had helped launch Sandberg’s book at 11 Downing Street and added: “The book’s message about female empowerment was widely praised, not least in the Guardian and the Observer.”

In fact, the memo reveals that Sandberg’s feminist memoir was perceived as a lobbying tool by the Facebook team and a means of winning support from female legislators for Facebook’s wider agenda.

In a particularly revealing account of a meeting with Viviane Reding, the influential European commissioner for justice, fundamental rights and citizenship, the memo notes her key role as “the architect of the European Data Directive” and describes the company’s “difficult” relationship with her owing to her being, it claims, “not a fan” of American companies.

“She attended Sheryl’s Lean In dinner and we met with her right afterwards,” the memo says, but notes that she felt it was a “very ‘American’ discussion”, a comment the team regarded as a setback since “getting more women into C-level jobs and on boards was supposed to be how they bonded, and it backfired a bit”.

The Davos meetings are just the tip of the iceberg in terms of Facebook’s global efforts to win influence. The documents reveals how in Canada and Malaysia it used the promise of siting a new data centre with the prospect of job creation to win legislative guarantees. When the Canadians hesitated over granting the concession Facebook wanted, the memo notes: “Sheryl took a firm approach and outlined that a decision on the data center was imminent. She emphasized that if we could not get comfort from the Canadian government on the jurisdiction issue, we had other options.” The minister supplied the agreement Facebook required by the end of the day, it notes.

Apps Give Private Data To Facebook Without User’s Knowledge or Permission

Why does this surprise anyone? And it is not just data going to Facebook. Most of the apps we see on Android have such wide open permissions and no or awful privacy policies, that it astounds me anyone would use them. Why does a “torch” (flashlight) app need to be able read my contacts or have full internet access? That is just one example. Running a PC with out a strict application firewall these days is plainly crazy. But how many users run application firewalls on their mobile devices? They should.

Facebook needs to wound down. The best way to do that is to simply boycott any and all of their properties. Just say no to Facebook and all their properties like Messenger, Whatsapp, Instagram, Masquerade (MSQRD), Moves App, …

Well back to the news

Quote

NPR’s Mary Louise speaks with The Wall Street Journal’s Sam Schechner about how several apps they tested sent sensitive personal data to Facebook without users’ permission or knowledge.

MARY LOUISE KELLY, HOST:

Let’s dig deeper now into how some of these apps are sharing users’ data without their knowledge. Laura mentioned The Wall Street Journal just there. It recently published another story headlined “You Give Apps Sensitive Personal Information. Then They Tell Facebook.” Sam Schechner is one of the reporters on the story, and I asked him what sensitive personal information we’re talking about here.

Facebook says that they offer services to the developers that send it. They offer analytic services so you can see how users are interacting with that app. And they allow the app developer to then target users of the app on Facebook properties with ads. It’s worth noting, however, that Facebook’s terms of service give it wide latitude to use that information for other purposes, such as targeting ads more generally, for personalizing their service, including the news feed, and for research and development.

SAM SCHECHNER: Well, it could be your weight, if you’re having your period, your height, your blood pressure. We saw all of that kind of information being transferred from apps directly to Facebook servers in testing that we ran over the last few months.

KELLY: Yeah, you give an example of an app that allows women to track when they’re getting their period and ovulation. They enter that in, and then it immediately gets fed straight over to Facebook.

SCHECHNER: Yeah. What we saw – and this was actually part of what set off the investigation. While we were doing the testing, I was entering information to the app, and I saw that it was immediately sending a notification that I had altered the dates of my period to Facebook.

KELLY: Your virtual period. I assume – (laughter) I’ll make a wild leap and assume here.

SCHECHNER: Sending the dates of my virtual period. I was using the app even though I don’t get one. And in addition, it would send a notification to Facebook when you entered pregnancy mode. The app would show kind of confetti on the screen. But behind the scenes, the app was informing Facebook that it was now in pregnancy status.

KELLY: Here’s the sentence from your article that stopped me cold. I’m just going to read it. (Reading) The social media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it even if the user has no connection to Facebook. Really? I mean, even if I don’t have a Facebook account, this is happening.

SCHECHNER: Yes, that is correct. And the reason is ’cause apps build in software from Facebook in order to do all kinds of things, including to track their users’ behavior. And that software sends the data back to Facebook regardless of whether or not you’re a user. In fact, the app doesn’t have any way of knowing whether you’re a user when it sends the data.

KELLY: And what does Facebook say they are doing with this data?

SCHECHNER: Facebook says that they offer services to the developers that send it. They offer analytic services so you can see how users are interacting with that app. And they allow the app developer to then target users of the app on Facebook properties with ads. It’s worth noting, however, that Facebook’s terms of service give it wide latitude to use that information for other purposes, such as targeting ads more generally, for personalizing their service, including the news feed, and for research and development.

KELLY: Does it appear based on your reporting that regulators are sitting up and paying attention?

SCHECHNER: Well, already New York Governor Andrew Cuomo has directed state agencies to look into the matter. And already since our report, at least five of the apps that we highlighted have stopped sending the information that we highlighted to Facebook. And Facebook has sent out letters to those apps and other major app developers telling them to stop sending any health-related information or other potentially sensitive information.

KELLY: Did you find yourself changing settings or deleting apps as you reported this out?

SCHECHNER: I definitely did. I advised my wife to use a different app to track her own cycle, and I certainly made sure that, you know, when I exercise, I’m using apps that didn’t in my testing turn up to be sending this specific data. Of course I am a tech reporter, not a, you know, software engineer, so the likelihood is that I’m still being tracked. And in fact when I go on my phone, I see plenty of ads for exercise apps probably from the fact that I just went running.

KELLY: Wall Street Journal reporter Sam Schechner, thanks so much.

SCHECHNER: Thanks for having me.

620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

I always tell people that no one seems to take IT Security seriously – at least seriously enough to spend the money to establish good security. The response is always – nah, that can’t be true. Sadly it is is. And these are only an ‘example/subset’ the ones that are reported.

Quote

Exclusive Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove’s seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens. There appears to be no payment or bank card details in the sales listings.
Who are the buyers?

These silos of purportedly purloined information are aimed at spammers and credential stuffers, which is why copies are relatively cheap to buy. The stuffers will take usernames and passwords leaked from one site to log into accounts on other websites where the users have used the same credentials.

So, for example, someone buying the purported 500px database could decode the weaker passwords in the list, because some were hashed using the obsolete MD5 algorithm, and then try to use the email address and cracked password combinations to log into, say, strangers’ Gmail or Facebook accounts, where the email address and passwords have been reused.

All of the databases are right now being touted separately by one hacker, who says he or she typically exploited security vulnerabilities within web apps to gain remote-code execution and then extract user account data. The records were swiped mostly during 2018, we’re told, and went on sale this week.

The seller, who is believed to be located outside of the US, told us the Dubsmash data has been purchased by at least one person.

Some of the websites – particularly MyHeritage, MyFitnessPal, and Animoto – were known to have been hacked as they warned their customers last year that they had been compromised, whereas the others are seemingly newly disclosed security breaches. In other words, this is the first time we’ve heard these other sites have been allegedly hacked. This also marks the first time this data, for all of the listed sites, has been peddled publicly, again if all the sellers’ claims are true.
Is this legit?

A spokesperson for MyHeritage confirmed samples from its now-for-sale database are real, and were taken from its servers in October 2017, a cyber-break-in it told the world about in 2018. ShareThis, CoffeeMeetsBagel, 8fit, 500px, DataCamp, and EyeEm also confirmed their account data was stolen from their servers and put up for sale this week in the seller’s collection. This lends further credibility to the data trove.

Last week, half a dozen of the aforementioned sites were listed on Dream Market by the seller: when we spotted them, we alerted Dubsmash, Animoto, EyeEm, 8fit, Fotolog, and 500px that their account data was potentially being touted on the dark web.

Over the weekend, the underground bazaar was mostly knocked offline, apparently by a distributed denial-of-service attack. On Monday this week, the underworld marketplace returned to full strength, and the seller added the rest of the sites. We contacted all of them to alert them, and ask for a response. Meanwhile, Dream Market has been smashed offline again.

Here’s a summary of what is, or briefly was, purported to be on sale:

Dubsmash: 161,549,210 accounts for 0.549 BTC ($1,976) total

11GB of data taken in December 2018. Each account record contains the user ID, SHA256-hashed password, username, email address, language, country, plus for some, but not all the users, the first and the last name. This alleged security breach has not been previously publicly disclosed. Dubsmash is a video-messaging application popular with millennials and younger folk.

New York City-based Dubsmash has hired law firm Lewis Brisbois to probe the online sale. Partner Simone McCormick told us:

Our office has been retained to assist Dubsmash in this matter. Thank you for your alert. We immediately launched an investigation. We plan to notify any and all individuals as appropriate. Again, thank you for bringing this to our attention.
500px: 14,870,304 accounts for 0.217 BTC ($780) total

1.5GB of data taken July 2018. Each account record contains the username, email address, MD5-, SHA512- or bcrypt-hashed password, hash salt, first and last name, and if provided, birthday, gender, and city and country. 500px is a social-networking site for photographers and folks interested in photography.

“Our engineering team is currently investigating and if we can confirm there was a breach we will take the necessary steps to inform our users as per GDPR standards,” 500px spokesperson Stephanie Newell told us.

Update: 500px staff are now notifying their users that the site was indeed hacked, and will reset everyone’s passwords, starting with the ones weakly hashed using MD5.

“We are able to confirm a breach occurred,” Newell told us. “Our engineers immediately launched a comprehensive review of our systems and have since taken every precaution to secure them. All areas of vulnerability have been identified and fixed during our internal investigation, and we’ve found no evidence to date of any recurrence of the issue.

“We are currently working on notifying our entire user base, however, given the amount of users affected, this task will span one day at minimum. We’ve taken every precaution to ensure our users’ data is safe. A system-wide password reset is currently underway for all users, prioritized in order of accounts with the highest potential risk, and we have already forced a reset of all MD5-encrypted passwords.”

In addition, 500px, which is based in Canada, said it has taken the following steps to shore up its security:

– Vetted access to our servers, databases, and other sensitive data-storage services.

– Analyzed and are continuing to monitor our source code, both public-facing and internal, to improve our security protocols and protect against security issues.

– We have partnered with leading experts in cyber security to further secure our website, mobile apps, internal systems, and security processes.

– Modifications to our our internal software development process.

– Reviewing the PII [personally identifying information] data we collect from users and how it is used on our platform.

– We are continuing to upgrade our network infrastructure. Over the last 12 months, we have undertaken a major upgrade to our network infrastructure—this project is nearing completion, and will also offer a significant increase in security.
EyeEm: 22,360,765 accounts for 0.289 BTC ($1,040) total

1.7GB of data taken February 2018. Each account record contains an email address and SHA1-hashed password, although about three million are missing an email address. This security breach has not been previously publicly disclosed. Germany-based EyeEm is an online hangout for photographers. A spokesperson did not respond to a request for comment.

Update: EyeEm has told its customers it was hacked, and forced a reset of their passwords.
8fit: 20,180,667 accounts for 0.2025 BTC ($728) total

1.9GB of data taken July 2018. Each account record contains an email address, bcrypted-hashed password, country, country code, Facebook authentication token, Facebook profile picture, name, gender, and IP address. This security breach has not been previously publicly disclosed. Germany-headquartered 8fit offers customized workout and diet plans for healthy fitness types.

8fit CEO Aina Abiodun told us her team is investigating, adding: “I need to get back to you on this and can’t comment immediately.”

Update: 8fit has confessed to its users that it was hacked, and is resetting their passwords.
Fotolog: 16 million accounts for 0.52 BTC ($1,872) total

5.9GB of data taken in December 2018. There are five SQL databases containing information including email addresses, SHA256-hashed passwords, security questions and answers, full names, locations, interests, and other profile information. This alleged security breach has not been previously publicly disclosed. Fotolog, based in Spain, is another social network for photography types. A spokesperson did not respond to a request for comment.
Animoto 25,402,283 accounts for 0.318 BTC ($1,144) total

2.1GB of data taken in 2018. Each account record contains a user ID, SHA256-hashed password, password salt, email address, country, first and last name, and date of birth. This security breach was publicly disclosed by the NYC-headquartered business in 2018, though this is the first time the data has gone on sale, we understand.

“We provided notification about an incident potentially affecting customers back in August 2018 after we identified unusual activity on our system,” spokesperson Rebecca Brooks told us. “After identifying the suspicious activity, we immediately took the systems offline and implemented numerous security controls to help prevent an incident like this from happening again.”
MyHeritage 92,284,478 accounts for 0.549 BTC ($1,976) total

3.6GB of data taken October 2017. Each account record contains an email address, SHA1-hashed password and salt, plus the date of account creation. This security breach was publicly disclosed by the business last year, though this is the first time the data has gone on sale, we’re told. No DNA or similar sensitive information was taken. MyHeritage, based in Israel, is a family-tree-tracing service that studies customers’ genetic profiles.

A spokesperson told us:

The date, the number of users affected, and the type of information [in the 2018 disclosure] correspond almost exactly to [the for-sale database], so this does not look like a new breach. It seems likely that the perpetrator(s) of the October 2017 breach or someone who obtained the data from them is now trying to sell it. We will investigate this immediately and report the attempted sale to the authorities so they can try to trace the perpetrators. Until this moment, we have not seen any evidence of circulation or usage or abuse of the breached email addresses and hashed passwords, and this is the first time a mention of them has surfaced since June 4 2018.
MyFitnessPal 150,633,038 accounts for 0.289 BTC ($1,040) total

3.5GB of data taken February 2018. Each account record contains a user ID, username, email address, SHA1-hashed password with a fixed salt for the whole table, and IP address. This security breach was publicly disclosed by the business last year. This may be the first time it has gone on public sale. Under-Armor-owned MyFitnessPal does what it says on the tin: it’s an app that tracks diet and exercise. A spokesperson did not respond to a request for comment.

Update: Spokesperson Erin Wendell has told us the biz made every user reset their password following the discovery of the intrusion last year. If you reused your old MyFitnessPal password with other sites, now would be a good time to change your password on those other services, if you have not done so already.

“We responded swiftly to alert users and have since required all MyFitnessPal users who had not changed their passwords since that March 29, 2018 announcement, to reset their passwords,” Wendell said.

“As a result, passwords previously used for MyFitnessPal at the time of the data security issue are no longer valid on MyFitnessPal, and we continue to encourage strong password practices including unique and complex passwords for all their accounts to enable users to further protect themselves.”
Artsy 1,070,000 accounts for 0.0289 BTC ($104) total

184MB of data taken April 2018. Each account record contains an email address, name, IP addresses, location, and SHA512-hashed password with salt. This security breach has not been previously publicly disclosed. Artsy, located in NYC, is an online home for collecting and organizing art. A spokesperson did not respond to a request for comment.

Update: Artsy has emailed its users to confirm its data was stolen and sold online. It is in the process of investigating how it happened.
Armor Games 11,013,617 accounts for 0.2749 BTC ($988) total

1.8GB of data taken late December 2018. Each account record contains a username, email address, SHA1-hashed password and salt, date of birth, gender, location, and other profile details. This alleged security breach has not been previously publicly disclosed. California-based Armor Games is a portal for a ton of browser-based games. A spokesperson did not respond to requests for comment.
Bookmate 8,026,992 accounts for 0.159 BTC ($572) total

1.7GB of data taken July 2018. Each account record typically contains a username, an email address, SHA512 or bcrypt-hashed password with salt, gender, date of birth, and other profile details. This alleged security breach has not been previously publicly disclosed. British Bookmate makes book-reading apps. A spokesperson did not respond to a request for comment.
CoffeeMeetsBagel 6,174,513 accounts for 0.13 BTC ($468) total

673MB of data taken late 2017 and mid-2018. Each account record contains typically a full name, email address, age, registration date, and gender. This security breach has not been previously publicly disclosed. CoffeeMeetsBagel is a dating website.

Jenn Takahashi, spokesperson for the CoffeeMeetsBagel, told us: “We are not aware of a breach at this time, but our security team is looking into this now.” She also said the San-Francisco-based biz does not store passwords, and uses third-party sites for authentication.

“We have engaged with our legal team and forensic security experts to identify any issues and ensure we have the best security stance moving forward,” Takahashi added.

Update: CoffeeMeetsBagel has confirmed at least some user account data was stolen by a hacker who broke into the biz’s systems as recently as May 2018, as we reported.

“On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details, specifically names and email addresses prior to May 2018,” the company said in a statement.

“Once we became aware, we immediately launched a comprehensive investigation with the help of experienced forensic experts. We are currently working on notifying the affected user base. The security of our users’ information is important to us, and we apologize for any inconvenience this may have caused.”
DataCamp 700,000 accounts for 0.013 BTC ($46.8) total

82MB of data taken December 2018. Each account record contains an email address, bcrypt-hashed password, location, and other profile details. This security breach has not been previously publicly disclosed. US-based DataCamp teaches people data science and programming. A spokesperson told us they are “looking into” the online sale.

“We take this matter seriously and want to further verify if this is indeed the case,” said the biz’s Lode Vanacken. “We will also investigate access and audit logs to see if we can trace back any potential unauthorised access. If indeed further investigation shows this data to be valid we will communicate with you and with the affected end-users.”

Update: Vanacken has told us DataCamp is resetting users’ passwords after confirming its data was stolen. “We have notified the users we believe were affected or potentially affected via email,” he said.

“Out of an abundance of caution, we are logging out all DataCamp users who may have been affected, and, if they use a password as their authentication method, we are invalidating their passwords and prompting them to reset their passwords.

“We continue to monitor for suspicious activity and to make enhancements to our systems to detect and prevent unauthorized access to user information.”
HauteLook 28 million accounts for 0.217 BTC ($780) total

1.5GB of data taken during 2018. Each account record contains an email address, bcrypt-hashed password, and name. This alleged security breach has not been previously publicly disclosed. HauteLook is an online store for fashion, accessories, and so on. A spokesperson for the Los Angeles-based biz did not respond to a request for comment.
ShareThis 41,028,098 accounts for 0.217 BTC ($780) total

2.7GB of data taken early July 2018. Each account record contains a name, username, email address, DES-hashed password, gender, date of birth, and other profile info. This security breach has not been previously publicly disclosed. Palo Alto-based ShareThis makes a widget for sharing links to stuff with friends. A spokesperson did not respond to a request for comment.

Update: ShareThis has written to its users, alerting them that the site was hacked, likely in July 2018, and that email addresses, password hashes, and some dates-of-birth was stolen and put up for sale online.
Whitepages 17,775,679 accounts for 0.434 BTC ($1560) total

2.9GB of data taken 2016. Each account record contains an email address, SHA1- or bcrypt-hashed password, and first and last name. This alleged security breach has not been previously publicly disclosed. Whitepages is a Seattle-based online telephone and address directory. A spokesperson did not respond to a request for comment.

The seller told The Register they have as many as 20 databases to dump online, while keeping some others back for private use, and that they have swiped roughly a billion accounts from servers to date since they started hacking in 2012.

Their aim is to make “life easier” for hackers, by selling fellow miscreants usernames and password hashes to break into other accounts, as well as make some money on the side, and highlight to netizens that they need to take security seriously – such as using two-factor authentication to protect against password theft. The thief also wanted to settle a score with a co-conspirator, by selling a large amount of private data online.

The hacker previously kept stolen databases private, giving them only to those who would swear to keep the data secret.

“I don’t think I am deeply evil,” the miscreant told us. “I need the money. I need the leaks to be disclosed.

“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.” ®
Updates below

This article was revised at 0430 UTC on Tuesday, February 12 to include confirmation from 500px that it was hacked, as we reported.

Also on Tuesday, EyeEm informed its users it had been hacked. We understand similar disclosures are due to land this week from ShareThis and others.

On Wednesday, February 13, DataCamp informed us it is resetting its users’ passwords after “some user data was exposed by a third party who gained criminal unauthorized access to one of our systems.”

Also on Wednesday, CoffeeMeetsBagel told us it is alerting its users to its security breach, we added a statement from MyFitnessPal, and 8fit admitted to its customers that it was hacked.

On Thursday, February 14, Artsy emailed its users to confirm its internal data was stolen and put up for sale, as reported. “On February 11, 2019, we became aware that account information for some of our users was made available on the internet,” the biz wrote. “We are still investigating the precise causes of the incident, and together with our engineering team, we are working with a leading cyber forensics firm to assist us.”

On Friday, February 15, ShareThis confirmed it was hacked, too.