Marriott says 500 million Starwood guest records stolen in massive data breach

Starwood Hotels has confirmed its hotel guest database of about 500 million customers has been stolen in a data breach.

The hotel and resorts giant said in a statement filed with U.S. regulators that the “unauthorized access” to its guest database was detected on or before September 10 — but may have dated back as far as 2014.

“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” said the statement. “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”

Specific details of the breach remain unknown. We’ve contacted Starwood for more and will update when we hear back.

The company said that it obtained and decrypted the database on November 19 and “determined that the contents were from the Starwood guest reservation database.”

Some 327 million records contained a guest’s name, postal address, phone number, date of birth, gender, email address, passport number, Starwood’s rewards information (including points and balance), arrival and departure information, reservation date, and their communication preferences.

Starwood said an unknown number of records contained encrypted credit card data, but has “not been able to rule out” that the components needed to decrypt the data wasn’t also taken.

“Marriott reported this incident to law enforcement and continues to support their investigation,” said the statement.

Marriott-owned Starwood the largest hotel chain in the world, with more than 11 brands covering 1,200 properties, including W Hotels, St. Regis, Sheraton, Westin, Element and more. Starwood branded timeshare properties are also included.

The company said that its Marriott hotels are not believed to be affected as its reservation system is “on a different network,” following Marriott’s acquisition of Starwood in 2016.

The company has begun informing customers of the breach — including in the U.S., Canada, and the U.K.

Given that the breach falls under the European-wide GDPR rules, Starwood may face significant financial penalties of up to four percent of its global annual revenue if found to be in breach of the rules.

A leaky database of SMS text messages exposed password resets and two-factor codes

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.

For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find.

Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

An example of one text message containing a user’s phone number and their Microsoft account reset code. (Image: TechCrunch)

Most don’t think about what happens behind the scenes when you get a text message from a company, whether it’s an Amazon shipping notification or a two-factor code for your login. Often, app developers — like HQ Trivia and Viber — will employ technologies provided by firms like Telesign and Nexmo, either to verify a user’s phone number or to send a two-factor authentication code, for example. But it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone.

After an inquiry by TechCrunch, Voxox pulled the database offline. At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date. But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher.

Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.

Among our findings from a cursory review of the data:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

“Yeah, this is very bad,” said Dylan Katz, a security researcher, who reviewed some of the findings.

The exposure to personal information and phone numbers notwithstanding, the ability to access two-factor codes in near-real-time could have put countless number of accounts at risk of hijack. In some cases, websites will only require a phone number to reset an account. With access to the text message through the exposed database, hijacking an account could take seconds.

“My real concern here is the potential that this has already been abused,” said Katz. “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

Kevin Hertz, Voxox’s co-founder and chief technology officer, said in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”

Many companies, including Facebook, Twitter and Instagram, have rolled out app-based two-factor authentication to thwart SMS-based verification, which has long been seen as vulnerable to interception.

If ever there was an example, this latest exposure would serve well.

Facebook bug let websites read ‘likes’ and interests from a user’s profile

Facebook has fixed a bug that let any website pull information from a user’s profile — including their ‘likes’ and interests — without that user’s knowledge.

That’s the findings from Ron Masas, a security researcher at Imperva, who found that Facebook search results weren’t properly protected from cross-site request forgery (CSRF) attacks. In other words, a website could quietly siphon off certain bits of data from your logged-in Facebook profile in another tab.

Masas demonstrated how a website acting in bad faith could embed an IFRAME — used to nest a webpage within a webpage — to silently collect profile information.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.

The malicious website could open several Facebook search queries in a new tab, and run queries that could return “yes” or “no” responses — such as if a Facebook user likes a page, for example. Masas said that the search queries could return more complex results — such as returning all a user’s friends with a particular name, a user’s posts with certain keywords, and even more personal demographics — such as all of a person’s friends with a certain religion in a named city.

“The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” he said.

A snippet from a proof-of-concept built by Masas to show him exploiting the bug. (Image: Imperva/supplied)

In fairness, it’s not a problem unique to Facebook nor is it particularly covert. But given the kind of data available, Masas said this kind of data would be “attractive” to ad companies.

Imperva privately disclosed the bug in May. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties.

Facebook told TechCrunch that the company hasn’t seen any abuse.

“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

It’s the latest in a string of data exposures and bugs that have put Facebook user data at risk after the Cambridge Analytica scandal this year, which saw a political data firm vacuum up profiles on 87 million users to use for election profiling — including users’ likes and interests.

Months later, the social media giant admitted millions of user account tokens had been stolen from hackers who exploited a chain of bugs.

Twitter, those ‘verified’ bitcoin-pushing pillocks are pissing everyone off

Elon Musk’s tweets piss me off for two reasons.

When he’s not accusing actual heroes of sex crimes or trolling the federal government, it’s what comes after that drives me batshit. The top reply to most of his tweets is some asshat impersonating him to try to trick his followers into falling for a bitcoin scam.

These “get rich quick” scams are fairly simple. A hacker hijacks a verified Twitter account using stolen or leaked passwords. Then, the hacker swaps the account’s name, bio and photo — almost always to mirror Elon Musk — and drops a reply with “here’s where to send your bitcoin,” or something similar.

The end result appears as though Musk is responding to his own tweet, and nudging hapless bitcoin owners to drop their coins into the scammer’s coffers.

One of the latest “victims” was @FarahMenswear. The clothing retailer — with some 15,500 followers — was hacked this morning to promote a “bitcoin giveaway.” In the short time the scam began, the bitcoin address already had more than 100 transactions and over 5.84 bitcoins — that’s $37,000 in just a few hours’ work. Many Twitter users said that the scammers “promoted” the tweet — amplifying the scam to reach many more people.

On one hand, this scam is depressingly easy to pull off that even I could’ve done it. Depressing on the other, because that’s half a year’s wages for the average reporter.

Still, that $37,000 is a drop in the ocean to some of the other successful scam artists out there. One scammer last week, this time using @PantheonBooks, made $180,000 in a single day by tricking people into turning over their bitcoin and promising great returns.

Another day, another Elon Musk-themed bitcoin scam. (Image: screenshot)

Why is the scam so easy?

Granted, it’s clever. But it’s a widespread problem that can be largely attributed to Twitter’s nonchalant, “laissez-faire” approach to account security.

The common thread to all of these cryptocurrency scams involve hijacking accounts. Often, hackers use credential stuffing — that’s using the same passwords stolen from other breaches on other sites and services — to break into Twitter accounts. In nearly all successful cases, the hacked Twitter accounts aren’t protected with two-factor authentication. Brand accounts shared by multiple social media users almost never use two-factor, because it’s hard to share access tokens.

For its part, a Twitter spokesperson said it’s improved how it handles cryptocurrency scams and has seen a significant reduction in the amount of users who see scammy tweets. The company also said that scammers are constantly changing their methods and Twitter is trying to stay one step ahead. In many cases, these scams are nuked from the site before they’re even reported.

And, Twitter said it regularly reminds account owners to switch on stronger security settings, like two-factor authentication.

Well, enough’s enough, Twitter. You can lead a horse to water but you can’t make it drink. So maybe it’s about time you bring the water a little closer.

Until something better comes along, Twitter should make two-factor authentication mandatory for verified accounts, especially high-profile accounts — like politicians. It’s no more of an inconvenience than switching on two-factor for your email inbox or other social networking account. The settings are already there — it even rolled out the more secure app-based authentication a year ago to give users the option of switching from the less-secure text message system.

If the only other option is to stop Elon Musk from tweeting…

Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms

Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.

The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems.

CMS didn’t say how the attackers gained access to the accounts, but said it shut off the affected accounts “immediately.”

In a letter sent to affected customers this week (and buried on the Healthcare.gov website), CMS disclosed that sensitive personal data — including partial Social Security numbers, immigration status and some tax information — may have been taken.

According to the letter, the data included:

  • Name, date of birth, address, sex, and the last four digits of the Social Security number (SSN), if SSN was provided on the application;
  • Other information provided on the application, including expected income, tax filing status, family relationships, whether the applicant is a citizen or an immigrant, immigration document types and numbers, employer name, whether the applicant was pregnant, and whether the applicant already had health insurance;
  • Information provided by other federal agencies and data sources to confirm the information provided on the application, and whether the Marketplace asked the applicant for documents or explanations;
  • The results of the application, including whether the applicant was eligible to enroll in a qualified health plan (QHP), and if eligible, the tax credit amount; and
  • If the applicant enrolled, the name of the insurance plan, the premium, and dates of coverage.

But the government said that no bank account information — including credit card numbers, or diagnostic and treatment information — was taken.

“Breaches that include personally identifiable information are always dangerous because they can lead to identity theft,” Andrew Blaich, head of Device Intelligence at Lookout. “Not only can the attacker steal the identity of anyone in the breach, but they can also use this information to appear credible when crafting mobile spear-phishing messages against their targets.”

“This is especially true if the data that was leaked is accurate, as health information, family relationships and insurance information can make it extremely easy for an attacker to steal the identity of anyone affected by the breach,” he said.

President Obama’s healthcare law, the Affordable Care Act — known as “Obamacare” — allows Americans to obtain health insurance if they are not already covered. In order to sign up for healthcare plans, customers have to submit sensitive data. Some 11.8 million people signed up for coverage for 2018.

CMS previously said that the breach affected 75,000 individuals, but a person familiar with the investigation said that the number is expected to change. The stolen files also included data on children.

A spokesperson said CMS is expected to give an update early next week at the latest.

Healthcare.gov’s enrollment period is set to close on December 15.

Utah man pleads guilty to causing 2013 gaming service outages

A Utah man has pleaded guilty to computer hacking charges, after admitting to knocking several gaming services offline five years ago.

Austin Thompson, 23, launched several denial-of-service attacks against EA’s Origin, Sony PlayStation and Valve’s Steam gaming services during the December holiday season in 2013.

At the time, those denial-of-service attacks made it near-impossible for some gamers to play — many of whom had bought new consoles or games in the run-up to Christmas, including League of Legends and Dota 2, because they required access to the network.

Specifics of Thompson’s plea deal were not publicly available at the time of writing, but prosecutors said Thompson — aged 18 at the time of the attacks — flooded the gaming giants’ networks “with enough internet traffic to take them offline.”

Thompson would take to his Twitter account, @DerpTrolling, to announce his targets ahead of time, and posted screenshots of downed services in the aftermath of his attacks. Thompson’s attacks caused upwards of $95,000 in damages, prosecutors said.

“The attacks took down game servers and related computers around the world, often for hours at a time,” said Adam Braverman, district attorney for Southern California, in a statement.

“Denial-of-service attacks cost businesses millions of dollars annually,” said Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”

Thompson faces up to 10 years in prison and is scheduled to be sentenced in March.

Two hackers behind 2016 Uber data breach have been indicted for another hack

Two hackers who stole millions of users’ data from ride-hailing firm Uber have been indicted on separate hacking charges related to a data breach at online learning portal Lynda, two people familiar with the case have told TechCrunch.

Vasile Mereacre, a Canadian citizen living in Toronto, and Brandon Glover, a Florida resident, were indicted earlier this month in Florida on federal hacking and extortion charges for stealing data on 55,000 Lynda users’ accounts.

According to the recently unsealed indictment, the FBI was considering extraditing Mereacre from Canada, but federal agents later learned that he was planning to fly to Miami on October 16. Mereacre was arrested by FBI agents once he landed, and made his initial appearance in court — at which the indictment was unsealed.

The indictment accuses the two alleged hackers of obtaining tens of thousands of Lynda user accounts from a company-owned Amazon web server. Prosecutors accused the two of “exerting control over the accounts as a means to obtain money from LinkedIn.” Using a burner Protonmail email account, the two emailed LinkedIn and HackerOne, a bug bounty program used by Lynda, to disclose the breach.

“I was able to access backups upon backups,” one of the defendants wrote in their email. They also claimed to have usernames, passwords, payment data and backend code.

When an unnamed LinkedIn executive emailed back inviting the alleged hackers to its HackerOne bug bounty program, they said to “keep in mind, we expect a big payment as this was hard work for us.”

The two were released on a bond, and on condition that they are not permitted to use the internet. The case is now being heard in a California court.

The accusations are nearly identical to the circumstances around Uber’s breach, just months earlier.

Uber disclosed the breach of 57 million worldwide users — including 4.1 million drivers — almost a year later. The company was accused of covering up the breach, after two former senior Uber executives — since fired — paid the two hackers $100,000 through its bug bounty to destroy the data that they obtained but without notifying customers or regulators.

Little was known about the hackers until Uber’s chief information security officer John Flynn told lawmakers at a Senate Commerce Committee hearing in February that the two hackers were from Florida and Canada.

Uber declined to comment.

The hackers gained access to an Amazon web server, owned by Uber, using credentials that were mistakenly left in a GitHub repository by an Uber engineer. According to an investigation by the Federal Trade Commission, the hackers downloaded more than a dozen files — including a backup file — containing Uber customer data. It’s not known what was said in the disclosure to Uber, but the FTC claimed the hackers were “demanding” a six-figure payout.

The breach was one of several scandals to plague the ridesharing company and the eventual departure of founder Travis Kalanick from the company.

Since the breach, Uber agreed to 20 years of privacy audits in a settlement with the FTC. The company was later ordered to pay $148 million in its breach settlement.

A spokesperson for the Justice Department did not respond to a request for comment, nor did Glover’s public defender Michael Ryan. Mereacre’s attorney, Christopher Lyons, declined to comment. HackerOne did not comment.

LinkedIn spokesperson Mary-Katharine Juric said: “We appreciate the ongoing work by the FBI to pursue those believed responsible for the 2016 breach of Lynda user information. We will continue to engage with law enforcement as this case develops.”

Parts of Glover’s docket appear to have been withheld. Mereacre will appear in court on November 8.

Saudi Arabia’s ‘Davos in the Desert’ website was hacked and defaced

The website of the Saudi government’s upcoming Future Investment Initiative conference was hacked and defaced with images of the murdered Saudi journalist Jamal Khashoggi.

Several reporters tweeted screenshots of the site after its defacement, purporting to show Saudi crown prince Mohammed bin Salman — the kingdom’s de facto ruler — brandishing a sword. A portion of text on the site was replaced with an accusation the kingdom of “barbaric and inhuman action,” referring not only to the death of Khashoggi but also the government’s involvement in the ongoing offensive in Yemen.

Names and phone numbers of several Saudi individuals were also uploaded to the site’s homepage, including government employees and senior staff in state-backed companies.

The site was pulled offline shortly after the defacement on Monday.

Nobody has yet publicly declared responsibility for the defacement. It comes days after the Saudi regime admitted that Khashoggi was “murdered” in its consulate in Istanbul, more than two weeks after The Washington Post columnist walked in to obtain marriage license papers. Saudi officials claimed he died following a “fist fight,” which Western nations decried as nonsensical. Leaked audio, believed to have been leaked by the Turkish government, claims the journalist was beaten, killed and dismembered.

Britain, France and Germany issued a statement demanding clarity and an explanation for his still missing body. Turkey is expected to reveal more about the killing Tuesday.

The Future Investment Initiative — also known as “Davos in the Desert” after the original Switzerland-based investment conference — is set for later this week.Saudi Arabia invests billions in U.S. tech companies, but the conference has seen dozens of well-known investors, tech companies and business leaders pull out of the conference after the journalist’s murder.

Hackers breach Healthcare.gov system, taking files on 75,000 people

A government system used by insurance agents and brokers to help customers sign up for healthcare plans was breached, allowing hackers to siphon off sensitive and personal data on 75,000 people.

The Centers for Medicare and Medicaid Services confirmed the breach in a late Friday announcement, but revealed few details about the contents of the files stolen.

The hacked system was connected to the Healthcare.gov website, the front-facing portal for anyone signing up for an insurance plan under former President Obama’s healthcare law, the Affordable Care Act. Hackers targeted the behind-the-scenes system that insurance agents used to help customers directly enroll in new plans, and not the consumer Healthcare.gov site itself. 

In order to sign up for healthcare plans, customers have to give over a ton of personal data — including names, addresses, and their social security number. CMS didn’t say exactly what kind of data was included in the stolen files, nor did it say how the breach happened.

Spokesperson Jonathan Monroe didn’t respond to a request for comment.

CMS said that the Healthcare.gov website was unaffected. Open enrollment in new healthcare plans — set for November 1 — will be unaffected, the statement said. Officials are “working to identify the individuals potentially impacted as quickly as possible so that we can notify them and provide resources such as credit protection.”

Buggy software in popular connected storage drives can let hackers read private data

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user’s private and sensitive data.

The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies — including PHP — to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as “root” — the built-in user account with the highest level of access — making the data on the device vulnerable to prying eyes or destruction.

We contacted Axentra for comment on Thursday but did not hear back by the time of writing.

A Netgear spokesperson said that the Stora is “no longer a supported product… because it has been discontinued and is an end of life product.” Seagate did not comment by our deadline, but we’ll update if that changes. Lenovo, which now owns Medion, did not respond to a request for comment.

The researchers also reported a separate bug affecting WD My Book Live drives, which can allow an attacker to remotely gain root access.

A spokesperson for WD said that the vulnerability report affects devices originally introduced in 2010 and discontinued in 2014, and “no longer covered under our device software support lifecycle.” WD added: “We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

In all four vulnerabilities, the researchers said that an attacker only needs to know the IP address of an affected drive. That isn’t so difficult in this day and age, thanks to sites like Shodan, a search engine for publicly available devices and databases, and similar search and indexing services.

Depending on where you look, the number of affected devices varies. Shodan puts the number at 311,705, but ZoomEye puts the figure at closer to 1.8 million devices.

Although the researchers described the bugs in moderate detail, they said they have no plans to release any exploit code to prevent attackers taking advantage of the flaws.

Their advice: If you’re running a cloud drive, “make sure to remove your device from the internet.”