Web host Epik was warned of a critical website bug weeks before it was hacked

Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms.

In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a “decade’s worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials, and employee mailboxes. The cache of stolen data also contains files from the company’s internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February.

Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an “alleged security incident.”

TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach.

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

Leo ran a proof-of-concept command from the public-facing WHOIS page to ask the server to display its username, which confirmed that code could run on Epik’s internal server, but he did not test to see what access the server had as doing so would be illegal.

It’s not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders relating to Epik’s WHOIS system, but the hacktivists left no contact information and could not be reached for comment.) But Leo contends that if a hacker exploited the same vulnerability and the server had access to other servers, databases or systems on the network, that access could have allowed access to the kind of data stolen from Epik’s internal network in February.

“I am really guessing that’s how they got owned,” Leo told TechCrunch, who confirmed that the flaw has since been fixed.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

Apple patches a NSO zero-day flaw affecting all devices

Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices.

The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said “may have been actively exploited.”

Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero day flaw — named as such since it gives companies zero days to roll out a fix — took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone. The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But also the vulnerabilities broke through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to skirt Apple’s BlastDoor protections.

In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running at the time the latest version of iOS. Citizen Lab now says that the same ForcedEntry exploit works on all Apple devices running the latest software, Citizen Lab said.

Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.

When reached, Apple declined to comment. NSO Group did not immediately comment.

Developing… More soon…

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

According to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

It’s not known if Olympus paid the ransom, or what amount was demanded by the ransomware group.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

Apple delays plans to roll out CSAM detection in iOS 15

Apple has delayed plans to roll out its child sexual abuse (CSAM) detection technology that it chaotically announced last month, citing feedback from customers and policy groups.

That feedback, if you recall, has been largely negative. The Electronic Frontier Foundation said this week it had amassed more than 25,000 signatures from consumers. On top of that, close to 100 policy and rights groups, including the American Civil Liberties Union, also called on Apple to abandon plans to roll out the technology.

In a statement on Friday morning, Apple told TechCrunch:

“Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”

Apple’s so-called NeuralHash technology is designed to identify known CSAM on a user’s device without having to possess the image or knowing the contents of the image. Because a user’s photos stored in iCloud are end-to-end encrypted so that even Apple can’t access the data, NeuralHash instead scans for known CSAM on a user’s device, which Apple claims is more privacy-friendly than the current blanket scanning that cloud providers use.

But security experts and privacy advocates have expressed concern that the system could be abused by highly resourced actors, like governments, to implicate innocent victims or to manipulate the system to detect other materials that authoritarian nation states find objectionable.

Within a few weeks of announcing the technology, researchers said they were able to create “hash collisions” using NeuralHash, effectively tricking the system into thinking two entirely different images were the same.

iOS 15 is expected out later in the next few weeks.

Read more:

FTC bans spyware maker SpyFone, and orders it to notify hacked victims

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history, and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

The FTC has also ordered the company to delete all the data it “illegally” collected, and, also for the first time, notify victims that the app had been secretly installed on their devices.

In a statement, the FTC’s consumer protection chief Samuel Levine said: “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security.”

The EFF, which launched the Coalition Against Stalkerware two years ago, a coalition of companies that detects, combats and raises awareness of stalkerware, praised the FTC’s order. “With the FTC now turning its focus to this industry, victims of stalkerware can begin to find solace in the fact that regulators are beginning to take their concerns seriously,” said EFF’s Eva Galperin and Bill Budington in a blog post.

This is the FTC’s second order against a stalkerware maker. In 2019, the FTC settled with Retina-X after the company was hacked several times and eventually shut down.

Over the years, several other stalkerware makers were either hacked or inadvertently exposed their own systems, including mSpy, Mobistealth, and Flexispy. Another stalkerware maker, ClevGuard, left thousands of hacked victims’ phone data on an exposed cloud server.

Read more:


If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911.

Did you receive a notification and want to tell your story? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or [email protected] by email.

A popular smart home security system can be remotely disarmed, researchers say

A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give to companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

Vishwakarma said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.

Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.

Read more:

A new NSO zero-click attack evades Apple’s iPhone security protections, says Citizen Lab

A Bahraini human rights activist’s iPhone was silently hacked earlier this year by a powerful spyware sold to nation-states, defeating new security protections that Apple designed to withstand covert compromises, say researchers at Citizen Lab.

The activist, who remains in Bahrain and asked not to be named, is a member of the Bahrain Center for Human Rights, an award-winning nonprofit organization that promotes human rights in the Gulf state. The group continues to operate despite a ban imposed by the kingdom in 2004 following the arrest of its director for criticizing the country’s then-prime minister.

Citizen Lab, the internet watchdog based at the University of Toronto, analyzed the activist’s iPhone 12 Pro and found evidence that it was hacked starting in February using a so-called “zero-click” attack, since it does not require any user interaction to infect a victim’s device. The zero-click attack took advantage of a previously unknown security vulnerability in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone.

The hack is significant, not least because Citizen Lab researchers said it found evidence that the zero-click attack successfully exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But the hacks also circumvent a new software security feature built into all versions of iOS 14, dubbed BlastDoor, which is supposed to prevent these kinds of device hacks by filtering malicious data sent over iMessage.

Because of its ability to circumvent BlastDoor, the researchers called this latest exploit ForcedEntry.

Citizen Lab’s Bill Marczak told TechCrunch that the researchers made Apple aware of the efforts to target and exploit up-to-date iPhones. When reached by TechCrunch, Apple would not explicitly say if it had found and fixed the vulnerability that NSO is exploiting.

In a boilerplate statement re-released Tuesday, Apple’s head of security engineering and architecture Ivan Krstic said: “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place … Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Read more on TechCrunch

A spokesperson for Apple said BlastDoor was not the end of its efforts to secure iMessage and that it has strengthened its defenses in iOS 15, which is slated for release in the next month or so.

Citizen Lab said the Bahraini government was likely behind the targeting of the Bahraini human rights activist, as well as eight other Bahraini activists between June 2020 and February 2021.

Bahrain is one of several authoritarian states known to be government customers of Pegasus, including Saudi Arabia, Rwanda, the United Arab Emirates and Mexico; though, NSO has repeatedly declined to name or confirm its dozens of customers, citing nondisclosure agreements.

Five of the targeted Bahrainis’ phone numbers were found on the Pegasus Project list of 50,000 phone numbers of potential surveillance targets of the Pegasus spyware, which gives its government customers near-complete access to a target’s device, including their personal data, photos, messages and location.

One of those listed phone numbers belongs to another member of the Bahrain Center for Human Rights, which Citizen Lab said was targeted months earlier and with a different zero-click exploit, called Kismet, which predates ForcedEntry. Citizen Lab says Kismet no longer works on iOS 14 and later since BlastDoor was introduced, but still poses a risk to devices running older iPhone versions.

Two other Bahrainis, who now live in exile in London and consented to be named, also had their iPhones hacked.

Moosa Abd-Ali, a photojournalist who was previously targeted by FinFisher spyware sold to the Bahraini government, had his iPhone hacked while living in London. Citizen Lab said it has only seen the Bahraini government spy in Bahrain and in neighboring Qatar, and said it suspects that another foreign government with access to Pegasus may have been responsible for the hack. Recent reporting found the United Arab Emirates, a close ally of Bahrain, is the “principal government” for selecting phone numbers in the U.K. Abd-Ali’s phone number was also on the list of 50,000 phone numbers.

Bahraini activist Yusuf Al-Jamri also had his iPhone hacked, believed by the Bahraini government, some time before September 2019, though it is not known if Al-Jamri’s iPhone was hacked while in Bahrain or the UAE, before he was granted asylum in the U.K. in 2017.

The seven unnamed Bahrainis continue to work in the kingdom despite a long history of human rights violations, internet censorship and widespread oppression. Reporters Without Borders ranks Bahrain’s human rights record as one of the most restrictive in the world, ranked only behind Iran, China and North Korea. A 2020 report by the U.S. State Department on Bahrain’s human rights said the country cited considerable violations and abuses, and noted that the government “used computer programs to surveil political activists and members of the opposition inside and outside the country.”

When reached, NSO Group did not answer specific questions nor would it say if the Bahraini government was a customer. In a statement attributed only as an NSO spokesperson sent via its external public relations firm Mercury, NSO said that it had not seen Citizen Lab’s findings and that it would “vigorously investigate the claims and act accordingly based on the findings.”

NSO recently claimed it cut off five government customers’ access to Pegasus for human rights abuses.

Zainab Al-Nasheet, a spokesperson for the Bahraini government, told TechCrunch in a statement: “These claims are based on unfounded allegations and misguided conclusions. The government of Bahrain is committed to safeguarding the individuals’ rights and freedoms.”

Abd-Ali, who said he was arrested and tortured in Bahrain, said that he thought he would find safety in the U.K. but that he still encounters digital surveillance but also physical attacks, as many victims of spyware experience.

“Instead of protecting me, the U.K. government has stayed silent while three of their close allies — Israel, Bahrain and the UAE — conspired to invade the privacy of myself and dozens of other activists,” he said.


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.

Google says geofence warrants make up one-quarter of all US demands

For the first time, Google has published the number of geofence warrants it’s historically received from U.S. authorities, providing a rare glimpse into how frequently these controversial warrants are issued.

The figures, published Thursday, reveal that Google has received thousands of geofence warrants each quarter since 2018, and at times accounted for about one-quarter of all U.S. warrants that Google receives. The data shows that the vast majority of geofence warrants are obtained by local and state authorities, with federal law enforcement accounting for just 4% of all geofence warrants served on the technology giant.

According to the data, Google received 982 geofence warrants in 2018, 8,396 in 2019, and 11,554 in 2020. But the figures only provide a small glimpse into the volume of warrants received, and did not break down how often it pushes back on overly broad requests. A spokesperson for Google would not comment on the record.

Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project (STOP), which led efforts by dozens of civil rights groups to lobby for the release of these numbers, commended Google for releasing the numbers.

“Geofence warrants are unconstitutionally broad and invasive, and we look forward to the day they are outlawed completely.” said Cahn.

Geofence warrants are also known as “reverse-location” warrants, since they seek to identify people of interest who were in the near-vicinity at the time a crime was committed. Police do this by asking a court to order Google, which stores vast amounts of location data to drive its advertising business, to turn over details of who was in a geographic area, such as a radius of a few hundred feet at a certain point in time, to help identify potential suspects.

Google has long shied away from providing these figures, in part because geofence warrants are largely thought to be unique to Google. Law enforcement has long known that Google stores vast troves of location data on its users in a database called Sensorvault, first revealed by The New York Times in 2019.

Sensorvault is said to have the detailed location data on “at least hundreds of millions of devices worldwide,” collected from users’ phones when they use an Android device with location data switched on, or Google services like Google Maps and Google Photo, and even Google search results. In 2018, the Associated Press reported that Google could still collect users’ locations even when their location history is “paused.”

But critics have argued that geofence warrants are unconstitutional because the authorities compel Google to turn over data on everyone else who was in the same geographic area.

Worse, these warrants have been known to ensnare entirely innocent people.

TechCrunch reported earlier this year that Minneapolis police used a geofence warrant to identify individuals accused of sparking violence in the wake of the police killing of George Floyd last year. One person on the ground who was filming and documenting the protests had his location data requested by police for being close to the violence. NBC News reported last year how one Gainesville, Fla. resident whose information was given by Google to police investigating a burglary, but was able to prove his innocence thanks to an app on his phone that tracked his fitness activity.

Although the courts have yet to deliberate widely on the legality of geofence warrants, some states are drafting laws to push back against geofence warrants. New York lawmakers proposed a bill last year that would ban geofence warrants in the state, amid fears that police could use these warrants to target protesters — as what happened in Minneapolis.

Cahn, who helped introduce the New York bill last year, said the newly released data will “help spur lawmakers to outlaw the technology.”

“Let’s be clear, the number of geofence warrants should be zero,” he said.

Apple’s CSAM detection tech is under fire — again

Apple has encountered monumental backlash to a new child sexual abuse imagery (CSAM) detection technology it announced earlier this month. The system, which Apple calls NeuralHash, has yet to be activated for its billion-plus users, but the technology is already facing heat from security researchers who say the algorithm is producing flawed results.

NeuralHash is designed to identify known CSAM on a user’s device without having to possess the image or knowing the contents of the image. Because a user’s photos stored in iCloud are end-to-end encrypted so that even Apple can’t access the data, NeuralHash instead scans for known CSAM on a user’s device, which Apple claims is more privacy friendly as it limits the scanning to just photos rather than other companies which scan all of a user’s file.

Apple does this by looking for images on a user’s device that have the same hash — a string of letters and numbers that can uniquely identify an image — that are provided by child protection organizations like NCMEC. If NeuralHash finds 30 or more matching hashes, the images are flagged to Apple for a manual review before the account owner is reported to law enforcement. Apple says the chance of a false positive is about one in one trillion accounts.

But security experts and privacy advocates have expressed concern that the system could be abused by highly-resourced actors, like governments, to implicate innocent victims or to manipulate the system to detect other materials that authoritarian nation states find objectionable. NCMEC called critics the “screeching voices of the minority,” according to a leaked memo distributed internally to Apple staff.

Last night, Asuhariet Ygvar reverse-engineered Apple’s NeuralHash into a Python script and published code to GitHub, allowing anyone to test the technology regardless of whether they have an Apple device to test. In a Reddit post, Ygvar said NeuralHash “already exists” in iOS 14.3 as obfuscated code, but was able to reconstruct the technology to help other security researchers understand the algorithm better before it’s rolled out to iOS and macOS devices later this year.

It didn’t take long before others tinkered with the published code and soon came the first reported case of a “hash collision,” which in NeuralHash’s case is where two entirely different images produce the same hash. Cory Cornelius, a well-known research scientist at Intel Labs, discovered the hash collision. Ygvar confirmed the collision a short time later.

Hash collisions can be a death knell to systems that rely on cryptography to keep them secure, such as encryption. Over the years several well-known password hashing algorithms, like MD5 and SHA-1, were retired after collision attacks rendered them ineffective.

Kenneth White, a cryptography expert and founder of the Open Crypto Audit Project, said in a tweet: “I think some people aren’t grasping that the time between the iOS NeuralHash code being found and [the] first collision was not months or days, but a couple of hours.”

When reached, an Apple spokesperson declined to comment on the record. But in a background call where reporters were not allowed to quote executives directly or by name, Apple downplayed the hash collision and argued that the protections it puts in place — such as a manual review of photos before they are reported to law enforcement — are designed to prevent abuses. Apple also said that the version of NeuralHash that was reverse-engineered is a generic version, and not the complete version that will roll out later this year.

It’s not just civil liberties groups and security experts that are expressing concern about the technology. A senior lawmaker in the German parliament sent a letter to Apple chief executive Tim Cook this week saying that the company is walking down a “dangerous path” and urged Apple not to implement the system.

T-Mobile says at least 47M current and former customers affected by hack

T-Mobile has confirmed that millions of current and former customers had their information stolen in a data breach, following reports of a hack over the weekend.

In a statement, T-Mobile, which has more than 100 million customers, said its preliminary analysis shows 7.8 million current postpaid T-Mobile customers had information taken in the data breach. The carrier said that some personal data on current and former postpaid was also taken, including customer names, dates of birth, Social Security numbers, and driver’s license information for a “subset” of current and former postpay customers and prospective T-Mobile customers.

The company also said that 40 million records of former and prospective customers was taken, but that “no phone numbers, account numbers, PINs, passwords, or financial information were compromised.”

But the company warned that approximately 850,000 active T-Mobile customer names, phone numbers, and account PINs were in fact compromised, and that customer names, phone numbers and account PINs were exposed. T-Mobile said it’s reset those customer PINs. T-Mobile said it was “recommending all postpaid customers” to proactively change their account PIN, which protects their accounts from SIM-swapping attacks.

Vice reported this weekend that T-Mobile was investigating a possible hack after a seller on a known criminal forum claimed to be in possession of millions of records. The seller told Vice that they had 100 million records on T-Mobile customers, which included customer account names, phone numbers, and the IMEI numbers of phones on the account.

T-Mobile warned that there could be more fallout to come, noting that it confirmed there was “some additional information from inactive prepaid accounts accessed through prepaid billing files,” but did not say what, only that it was not financial information.

This is the fifth time that T-Mobile was hacked in recent years, following incidents as recently as January and other incidents dating back to 2018.