Daily Crunch: Florida teen arrested in Twitter hack

Three arrests are made following this month’s celebrity Twitter hack, Microsoft may be working to acquire TikTok’s U.S. business and Facebook launches licensed music videos. Here’s your Daily Crunch for July 31, 2020.

The big story: Florida teen arrested in Twitter hack

In a hack earlier this month, high-profile Twitter accounts like Apple, Elon Musk, Barack Obama and Joe Biden were compromised and posted messages promoting a cryptocurrency scheme. Now an investigation by the FBI and Department of Justice has resulted in three arrests: Mason Sheppard of the United Kingdom, Nima Fazeli of Orlando and a 17-year-old Tampa resident.

The Tampa teen was described by the state attorney’s office as the hack’s “mastermind” and is facing 30 felony charges. He allegedly made more than $100,000 in a single day thanks to the hack.

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” said Hillsborough State Attorney Andrew Warren in a statement.

The tech giants

Report: Microsoft in talks to buy TikTok’s US business from China’s ByteDance — President Trump has plans to order China’s ByteDance, the owner of hit social video app TikTok, to divest from the company, according to Bloomberg.

Secret documents from US antitrust probe reveal big tech’s plot to control or crush the competition — We’ve collected the nearly 500 pages of evidence made public during the House Judiciary’s marathon hearing, with added context, in a searchable version.

Facebook will launch officially licensed music videos in the US starting this weekend — The U.S. launch is enabled by Facebook’s expanded partnerships with top labels, including Sony Music, Universal Music Group, Warner Music Group, Merlin, BMG, Kobalt and other independents.

Startups, funding and venture capital

Genomics startup Helix receives $33 million in NIH funding to scale COVID-19 testing — The funding will be used to support Helix’s efforts to scale its COVID-19 testing efforts, with the aim of achieving a rate of 100,000 tests per day by this fall.

Self-driving startup Argo AI hits $7.5 billion valuation — The valuation was confirmed Thursday, nearly two months after VW Group finalized its $2.6 billion investment in Argo AI.

The iron rule of founder compensation is dead — The latest episode of Equity discusses Y Combinator Demo Day going both virtual and live.

Advice and analysis from Extra Crunch

Working to understand Affirm’s reported IPO pricing hopes — News broke last night that Affirm, a well-known fintech unicorn, could approach the public markets at a valuation of $5 to $10 billion.

Opportunities (and challenges) in church tech — Investor Will Robbins argues that this might be the perfect time for church tech companies to thrive.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

Ford Bronco reservations surpass 150,000 — The reception to Bronco 2021 — Ford’s flagship series of 4×4 vehicles that was revealed earlier this month — surpassed the company’s most optimistic initial projections, Ford’s CEO said in an earnings call.

What does accountability look like in 2020? — Rae Witte discusses what happens after a company gets called out.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Florida teen accused of being ‘mastermind’ behind celebrity Twitter hack

Hillsborough State Attorney Andrew Warren announced today that he has filed 30 felony charges against a 17-year-old resident of Tampa, Florida, who was described by Warren’s office as “the mastermind of the recent hack of Twitter .”

The hack in question occurred earlier this month and involved high-profile Twitter users like Apple, Elon Musk, Joe Biden and Barack Obama, whose accounts all posted messages promoting a Bitcoin wallet and claiming, “All Bitcoin sent to the address below will be sent back doubled!”

The teen (we’re not identifying them because they’re a minor) allegedly made more than $100,000 through this cryptocurrency scam.

The state attorney’s office said that the teen was arrested earlier today after an investigation by the Federal Bureau of Investigation and the U.S. Department of Justice, and that they will be tried as an adult. They face charges including one count of organized fraud (over $50,000) and 17 counts of communications fraud (over $300).

“These crimes were perpetrated using the names of famous people and celebrities, but they’re not the primary victims here,” Warren said in a statement. “This ‘Bit-Con’ was designed to steal money from regular Americans from all over the country, including here in Florida. This massive fraud was orchestrated right here in our backyard, and we will not stand for that.”

As we reported at the time, the hack used Twitter’s own internal administrative tool to gain access to high-profile accounts. In a tweet, the company said, “We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses. For our part, we are focused on being transparent and providing updates regularly.”

Earlier today, Twitter updated its blog post outlining what it knows about the attack:

The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.

To prevent a similar attack from succeeding in the future, Twitter said it will be “accelerating several of our pre-existing security workstreams and improvements to our tools” and also improving the methods it uses to detect and stop inappropriate access to its internal systems.

Update: In an announcement of its own, the Justice Department three people were actually charged for their alleged roles in the hack — not just the teen in Tampa, but also 19-year-old Mason Sheppard, a.k.a. “Chaewon,” of the United Kingdom (accused of conspiracy to commit wire fraud, conspiracy to commit money laundering and the intentional access of a protected computer) and 22-year-old Nima Fazeli, a.k.a. “Rolex,” of Orlando, Florida (accused of aiding and abetting the intentional access of a protected computer), who are both facing charges in the Northern District of California.

“There is a false belief within the criminal hacker community that attacks like the Twitter hack can be perpetrated anonymously and without consequence,” said U.S. Attorney David L. Anderson in a statement. “Today’s charging announcement demonstrates that the elation of nefarious hacking into a secure environment for fun or profit will be short-lived.  Criminal conduct over the Internet may feel stealthy to the people who perpetrate it, but there is nothing stealthy about it.  In particular, I want to say to would-be offenders, break the law, and we will find you.”

Twitter says ‘phone spear phishing attack’ used to gain network access in crypto scam breach

Twitter has revealed a little more detail about the security breach it suffered earlier this month when a number of high profile accounts were hacked to spread a cryptocurrency scam — writing in a blog post that a “phone spear phishing attack” was used to target a small number of its employees.

Once the attackers had successfully gained network credentials via this social engineering technique they were in a position to gather enough information about its internal systems and processes to target other employees who had access to account support tools which enabled them to take control of verified accounts, per Twitter’s update on the incident.

“A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools,” it writes.

“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter adds, dubbing the incident “a striking reminder of how important each person on our team is in protecting our service”.

It now says the attackers used the stolen credentials to target 130 Twitter accounts — going on to tweet from 45; access the DM inbox of 36; and download the Twitter data of 7 (previously it reported 8, so perhaps one attempted download did not complete). All affected account holders have been contacted directly by Twitter at this point, per its blog post.

Notably, the company has still not disclosed how many employees or contractors had access to its account support tools. The greater that number, the larger the attack vector which could be targeted by the hackers.

Last week Reuters reported that more than 1,000 people at Twitter had access, including a number of contractors. Two former Twitter employees told the news agency such a broad level of access made it difficult for the company to defend against this type of attack. Twitter declined to comment on the report.

Its update now acknowledges “concern” around levels of employee access to its tools but offers little  additional detail — saying only that it has teams “around the world” helping with account support.

It also claims access to account management tools is “strictly limited”, and “only granted for valid business reasons”. Yet later in the blog post Twitter notes it has “significantly” limited access to the tools since the attack, lending credence to the criticism that far too many people at Twitter were given access prior to the breach.  

Twitter’s post also provides very limited detail about the specific technique the attackers used to successfully social engineer some of its workers and then be in a position to target an unknown number of other staff who had access to the key tools. Although it says the investigation into the attack is ongoing, which may be a factor in how much detail it feels able to share. (The blog notes it will continue to provide “updates” as the process continues.)

On the question of what is phone spear phishing in this specific case it’s not clear what particular technique was successfully able to penetrate Twitter’s defences. Spear phishing generally refers to an individually tailored social engineering attack, with the added component here of phones being involved in the targeting.

One security commentator we contacted suggested a number of possibilities.

“Twitter’s latest update on the incident remains frustratingly opaque on details,” said UK-based Graham Cluley. “‘Phone spear phishing’ could mean a variety of things. One possibility, for instance, is that targeted employees received a message on their phones which appeared to be from Twitter’s support team, and asked them to call a number. Calling the number might have taken them to a convincing (but fake) helpdesk operator who might be able to trick users out of credentials. The employee, thinking they’re speaking to a legitimate support person, might reveal much more on the phone than they would via email or a phishing website.”

“Without more detail from Twitter it’s hard to give definitive advice, but if something like that happened then telling workers the genuine support number to call if they ever need to — rather than relying on a message they receive on the phone — can reduce the likelihood of people being duped,” Cluley added.

“Equally the conversation could be initiated by a scammer calling the employee, perhaps using a VOIP phone service and using caller ID spoofing to pretend to be ringing from a legitimate number. Or maybe they broke into Twitter’s internal phone system and were able to make it look like an internal support call. We need more details!”

Twitter admits hackers accessed DMs of dozens of high-profile accounts

Last week’s hack of over 100 very high-profile Twitter accounts did in fact expose the direct messages of many of those accounts, the company admitted today — including those of an elected official in the Netherlands, Geert Wilders.

The attack saw numerous popular accounts of celebrities and politicians taken over and tweeting a very obvious Bitcoin scam that nevertheless seems to have netted at least six figures. Twitter said that a “coordinated social engineering attack” gave hackers “access to internal systems and tools.” Verified users were also briefly prevented from tweeting (a change some welcomed).

In tweets and an update to its blog post on the “security incident,” Twitter said that “for up to 36 of the 130 targeted accounts, the attackers accessed the DM inbox.” They are “actively working on communicating directly” with those accounts affected.

Twitter had declined to say in the immediate aftermath of the attack whether DMs had been accessed by the hackers. Twitter’s messaging system is infamously not well encrypted but it was not clear whether the administrative tool reportedly used by the attackers offered access to inboxes.

Apparently whatever method was used, it gave access to DMs some of the time, or perhaps the hackers simply didn’t avail themselves of the opportunity for the remaining 94 accounts they took over. It’s not really clear from Twitter’s announcement. Twitter has previously said that it has “no evidence” that passwords were accessed by the hackers, and nothing in the update contradicts that.

The company’s attempted to place a silver lining on this cloud, saying it had “no indication that any other former or current elected official had their DMs accessed.” Considering the accounts of Barack Obama and Joe Biden were among those affected, that is technically good news.

This is almost certainly not the last we’ll hear from Twitter on this disturbing security breach.

Decrypted: Space hacking, iPhone vulnerability, Zoom’s security boom

Security startups to the rescue.

As we continue to ride out the pandemic, security experts are closely monitoring the surge of coronavirus-related cyber threats. Just this week, Google’s Threat Analysis Group, its elite threat hunting unit, says that while the overall number of threats remains largely the same, opportunistic hackers are retooling their efforts to piggyback on coronavirus.

Some startups are downsizing and laying off staff, but several cybersecurity startups are faring better, thanks to an uptick in demand for security protections. As the world continues to pivot toward working from home, it has blown up key cybersecurity verticals in ways we never expected. To wit, identity startups are needed more than ever to make sure only remote employees are getting access to corporate systems.

Can the startups take on the giants at their own game?


THE BIG PICTURE

Another payments processor drops the security ball

For the third time this year, a payments processor has admitted to a security lapse. First it was Cornerstone, then it was nCourt. This time it’s Paay, a New York-based card payment processor startup that left a database on the internet unprotected and without a password. Worse, the data was storing full, plaintext credit card numbers.

Anyone who knew where to look could have accessed the data. Luckily, a security researcher found it and reported it to TechCrunch. We alerted the company; it quickly took the data offline, but Paay denied that the data stored full credit card numbers. We even sent the co-founder a portion of the data showing card numbers stored in plaintext, but he did not respond to our follow-up.

Cultivating adaptability is a pandemic coping skill

It’s no secret that adaptability has become a critical trait for knowledge workers. To stay on top of a rapidly evolving world, we must assess new situations, make intelligent decisions and implement them effectively.

A 2014 research report by Barclays indicated that 60% of employers say adaptability has become more important during the last decade, and BBC called adaptability the “X factor” for career success in an era of technological change.

But even the most intrepid executive, entrepreneur or freelancer would be forgiven for struggling to adapt to a global pandemic. The impact of coronavirus has been unrelenting: hospitals at capacity, students sent home, conference cancellations, sold out inventory, markets in free fall and cities under lockdown.

Whatever you thought 2020 was going to look like, you were dead wrong. Box CEO Aaron Levie and Stanford professor Bob Sutton’s recent Twitter exchange said it all:

This moment requires us to learn new skills, develop new habits and let go of old ways of working. In the book “Range,” there’s a chapter about “dropping familiar tools” that details how experienced professionals will overlearn specific behavior and then fail to adapt to a new circumstance. This mentality affected everyone from firefighters to aviation crews to NASA engineers, often with deadly results, and underscores how hard it can be to adapt to change.

To help us cultivate adaptability in this unprecedented moment, I sought answers in unexpected places. Here’s what I learned.

Let go of your attachments

Adaptability is required first and foremost when circumstances change. It’s easy to get attached to certain outcomes, especially when they’ve been planned long in advance or have significant emotional weight.

Due to coronavirus, a couple I know is postponing their wedding originally set for April. Having tied the knot only a year ago myself, I can’t imagine how frustrating that must be for them. But it was the right decision; demanding that the show go on would have been dangerous for their families, friends and the public at large.

I recently spoke with my friend Belinda Ju, an executive coach with a longstanding meditation practice. Non-attachment is a core concept of Buddhism, the spiritual path she’s followed for many years, and I wanted her thoughts on how that idea might help us adapt to unforeseen circumstances.

“Attachment doesn’t work because certainty doesn’t work. You can’t predict the future,” she explained. Being attached to something means “seeing the world through a false lens. Nothing is fixed.” For Ju and her clients, non-attachment doesn’t mean giving up on goals — it means focusing on what you can control.

“You might have a fixed goal of needing to raise X million dollars to keep your team afloat,” she said. “But in the age of coronavirus, investors might be slower to respond. So what are the levers in your control? What are the options you have and the pros and cons to each one?”

Her points hit home for me. As a NYC-based startup founder, I was preparing to make several trips to the West Coast to raise the next round for my company, Midgame, a digital party host for gamers.

I like pitching in person, but that’s obviously not going to happen, so I need to embrace video calls as my new reality. By doing that, I can get to stocking up on coffee, cleaning up my work space and setting up a microphone so when I do pitch over video, I’m bringing my A game.

Be present

Another way to think about adaptability is that it’s the ability to improvise. In theater, improv performers can’t rely on prewritten lines, and have to react in real time to suggestions from the audience or the words and actions of their scene partners.

“ ‘Playing the scene you’re in’ is a principle from improv which means to be present to the situation you’re in.”

That’s what Mary Lemmer told me. As an entrepreneur and VC who spent a stint at The Second City improv theater in Chicago, Lemmer knows a thing or two about having to adapt. Today, she brings her insights to corporations through training and workshops.

She explained that as an improv performer, you may start a scene with a certain idea in mind of how it will go, but that can quickly change. “If you’re not present,” she said, “then you’re not actively listening and because there’s no script, you’ll miss details. That’s when scenes fall apart.”

When I was a PM at Etsy and we had a major launch, we’d get engineering, dev ops, product, marketing and customer support together in a room to talk through the final event sequencing. These weren’t always the most exciting meetings and it was easy to get distracted by email or chat. One time engineering announced a significant last-minute issue that almost slipped through the cracks. Luckily, someone piped up with a clarifying question and we were all able to work together to minimize the issue.

Lemmer argues that in improv, like in business, you can’t make assumptions about people or situations. “We see this a lot in board meetings. People start to assume ‘Sally’ will always be the proactive one or ‘Jim’ will always be the naysayer and tune out.”

This is kind of attitude is problematic in a stable environment, but downright dangerous in an unstable situation where new data and events can quickly open up a new set of challenges and opportunities.

Early on, some experts thought the coronavirus crisis would stabilize globally by April. In early February, S&P Global stated that in the “worst-case scenario,” the virus would be contained by late May. A month later, that prediction already looked wildly optimistic.

Build mental toughness

Experts are saying now that cases may peak in May or June, which means everyone should be hunkering down for eight or more weeks of social distancing and isolation. A COVID-19 vaccine just started human trials, but testing in large enough sample sizes to identify side effects and then ramping up large-scale production still might not be fully available for more than a year.

In other words, dealing with this virus is not a sprint, it’s a marathon. A marathon no one signed up for.

Someone who knows a lot about this topic is Jason Fitzgerald. A 2:39 marathoner, Fitzgerald now helps people run faster and healthier as an author and coach.

When we spoke over the phone, he pointed out that running, unlike say basketball or gymnastics, is a sport where “you have to voluntarily want to experience more and more discomfort.”

Fitzgerald calls this ability to endure “mental toughness,” and it’s a skill we all can build. For runners, it requires doing workouts that scare them, putting in mileage that’s higher than they have in the past and racing regularly. It’s also about accepting and even embracing the pain of running hard.

The same is true for adaptation. We can train ourselves to respond better to change (we’re all getting lots of practice right now!), but developing new habits and working in new ways is always uncomfortable. As decorated cyclist Greg LeMond once said, “it doesn’t get easier, you just get faster.”

We also have to recognize that we won’t get it right every time. “The more that we get comfortable with poor performances, the more we can learn from them,” Fitzgerald said, noting that he’s had his share of bad races, including failing to finish an ultramarathon in 2015. “Sometimes you dwell on a bad race for a couple days, but then you have to just forget about it and move on with your training.”

Many of us are reeling from more cancellations, suspensions and complete one-eighties in the last month than in the last five years. But we can’t let ourselves stay bogged down by our feelings of frustration or disappointment. We accept our new reality, learn what we can from it, and keep going.

It’s clear that the people who can let go of their past plans and embrace the new environment ahead will thrive. Already we’re seeing companies pivot from live events to online webinars, and remote-first workplaces becoming the new normal. Shares of Zoom have risen even as the stock market has taken a beating and I’m sure other winners will emerge in the coming weeks and months.

But adaptability doesn’t just matter for individuals or even companies, it matters for governments. For China, Taiwan and Hong Kong, thanks to aggressive testing and quarantining efforts, life is returning, somewhat, to normal. New cases are on the decline and there’s hope of life returning to normalcy in the near future. Countries that bungled their response to the disease progression, including Italy, Spain, the U.K. and the United States, are now facing increasingly dire consequences.

Whether you want to survive a global pandemic, reach the next phase in your career or be selected on a mission to Mars, it’s hard to overstate the importance of adaptability in getting there.

Three-quarters of Americans lack confidence in tech companies’ ability to fight election interference

A significant majority of Americans have lost faith in tech companies’ ability to prevent the misuse of their platforms to influence the 2020 presidential election, according to a new study from Pew Research Center, released today. The study found that nearly three-quarters of Americans (74%) don’t believe platforms like Facebook, Twitter and Google will be able to prevent election interference. What’s more, this sentiment is felt by both political parties evenly.

Pew says that nearly identical shares of Republicans and Republican-leaning independents (76%) and Democrats and Democrat-leaning independents (74%) have little or no confidence in technology companies’ ability to prevent their platforms’ misuse with regard to election interference.

And yet, 78% of Americans believe it’s tech companies’ job to do so. Slightly more Democrats (81%) took this position, compared with Republicans (75%).

While Americans had similar negative feelings about platforms’ misuse ahead of the 2018 midterm elections, their lack of confidence has gotten even worse over the past year. As of January 2020, 74% of Americans report having little confidence in the tech companies, compared with 66% back in September 2018. For Democrats, the decline in trust is even greater, with 74% today feeling “not too” confident or “not at all” confident, compared with 62% in September 2018. Republican sentiment has declined somewhat during this same time, as well, with 72% expressing a lack of confidence in 2018, compared with 76% today.

Even among those who believe the tech companies are capable of handling election interference, very few (5%) Americans feel “very” confident in their capabilities. Most of the optimists see the challenge as difficult and complex, with 20% saying they feel only “somewhat” confident.

Across age groups, both the lack of confidence in tech companies and a desire for accountability increase with age. For example, 31% of those 18 to 29 feel at least somewhat confident in tech companies’ abilities, versus just 20% of those 65 and older. Similarly, 74% of youngest adults believe the companies should be responsible for platform misuse, compared with 88% of the 65-and-up crowd.

Given the increased negativity felt across the board on both sides of the aisle, it would have been interesting to see Pew update its 2018 survey that looked at other areas of concern Republicans and Democrats had with tech platforms. The older study found that Republicans were more likely to feel social media platforms favored liberal views while Democrats were more heavily in favor of regulation and restricting false information.

Issues around election interference aren’t just limited to the U.S., of course. But news of Russia’s meddling in U.S. politics in particular — which involved every major social media platform — has helped to shape Americans’ poor opinion of tech companies and their ability to prevent misuse. The problem continues today, as Russia is being called out again for trying to intervene in the 2020 elections, according to several reports. At present, Russia’s focus is on aiding Sen. Bernie Sanders’ campaign in order to interfere with the Democratic primary, the reports said.

Meanwhile, many of the same vulnerabilities that Russia exploited during the 2016 elections remain, including the platforms’ ability to quickly spread fake news, for example. Russia is also working around blocks the tech companies have erected in an attempt to keep Russian meddling at bay. One report from The NYT said Russian hackers and trolls were now better at covering their tracks and were even paying Americans to set up Facebook pages to get around Facebook’s ban on foreigners buying political ads.

Pew’s report doesn’t get into any details as to why Americans have lost so much trust in tech companies since the last election, but it’s likely more than just the fallout from election interference alone. Five years ago, tech companies were viewed largely as having a positive impact on the U.S., Pew had once reported. But Americans no longer feel as they did, and now only around half of U.S. adults believe the companies are having a positive impact.

More Americans are becoming aware of how easily these massive platforms can be exploited and how serious the ramifications of those exploits have become across a number of areas, including personal privacy. It’s not surprising, then, that user sentiment around how well tech companies are capable of preventing election interference has declined, too, along with all the rest.

TechCrunch’s Top 10 investigative reports from 2019

Facebook spying on teens, Twitter accounts hijacked by terrorists, and sexual abuse imagery found on Bing and Giphy were amongst the ugly truths revealed by TechCrunch’s investigating reporting in 2019. The tech industry needs more watchdogs than ever as its size enlargens the impact of safety failures and the abuse of power. Whether through malice, naivety, or greed, there was plenty of wrongdoing to sniff out.

Led by our security expert Zack Whittaker, TechCrunch undertook more long-form investigations this year to tackle these growing issues. Our coverage of fundraises, product launches, and glamorous exits only tell half the story. As perhaps the biggest and longest running news outlet dedicated to startups (and the giants they become), we’re responsible for keeping these companies honest and pushing for a more ethical and transparent approach to technology.

If you have a tip potentially worthy of an investigation, contact TechCrunch at [email protected] or by using our anonymous tip line’s form.

Image: Bryce Durbin/TechCrunch

Here are our top 10 investigations from 2019, and their impact:

Facebook pays teens to spy on their data

Josh Constine’s landmark investigation discovered that Facebook was paying teens and adults $20 in gift cards per month to install a VPN that sent Facebook all their sensitive mobile data for market research purposes. The laundry list of problems with Facebook Research included not informing 187,000 users the data would go to Facebook until they signed up for “Project Atlas”, not receiving proper parental consent for over 4300 minors, and threatening legal action if a user spoke publicly about the program. The program also abused Apple’s enterprise certificate program designed only for distribution of employee-only apps within companies to avoid the App Store review process.

The fallout was enormous. Lawmakers wrote angry letters to Facebook. TechCrunch soon discovered a similar market research program from Google called Screenwise Meter that the company promptly shut down. Apple punished both Google and Facebook by shutting down all their employee-only apps for a day, causing office disruptions since Facebookers couldn’t access their shuttle schedule or lunch menu. Facebook tried to claim the program was above board, but finally succumbed to the backlash and shut down Facebook Research and all paid data collection programs for users under 18. Most importantly, the investigation led Facebook to shut down its Onavo app, which offered a VPN but in reality sucked in tons of mobile usage data to figure out which competitors to copy. Onavo helped Facebook realize it should acquire messaging rival WhatsApp for $19 billion, and it’s now at the center of anti-trust investigations into the company. TechCrunch’s reporting weakened Facebook’s exploitative market surveillance, pitted tech’s giants against each other, and raised the bar for transparency and ethics in data collection.

Protecting The WannaCry Kill Switch

Zack Whittaker’s profile of the heroes who helped save the internet from the fast-spreading WannaCry ransomware reveals the precarious nature of cybersecurity. The gripping tale documenting Marcus Hutchins’ benevolent work establishing the WannaCry kill switch may have contributed to a judge’s decision to sentence him to just one year of supervised release instead of 10 years in prison for an unrelated charge of creating malware as a teenager.

The dangers of Elon Musk’s tunnel

TechCrunch contributor Mark Harris’ investigation discovered inadequate emergency exits and more problems with Elon Musk’s plan for his Boring Company to build a Washington D.C.-to-Baltimore tunnel. Consulting fire safety and tunnel engineering experts, Harris build a strong case for why state and local governments should be suspicious of technology disrupters cutting corners in public infrastructure.

Bing image search is full of child abuse

Josh Constine’s investigation exposed how Bing’s image search results both showed child sexual abuse imagery, but also suggested search terms to innocent users that would surface this illegal material. A tip led Constine to commission a report by anti-abuse startup AntiToxin (now L1ght), forcing Microsoft to commit to UK regulators that it would make significant changes to stop this from happening. However, a follow-up investigation by the New York Times citing TechCrunch’s report revealed Bing had made little progress.

Expelled despite exculpatory data

Zack Whittaker’s investigation surfaced contradictory evidence in a case of alleged grade tampering by Tufts student Tiffany Filler who was questionably expelled. The article casts significant doubt on the accusations, and that could help the student get a fair shot at future academic or professional endeavors.

Burned by an educational laptop

Natasha Lomas’ chronicle of troubles at educational computer hardware startup pi-top, including a device malfunction that injured a U.S. student. An internal email revealed the student had suffered a “a very nasty finger burn” from a pi-top 3 laptop designed to be disassembled. Reliability issues swelled and layoffs ensued. The report highlights how startups operating in the physical world, especially around sensitive populations like students, must make safety a top priority.

Giphy fails to block child abuse imagery

Sarah Perez and Zack Whittaker teamed up with child protection startup L1ght to expose Giphy’s negligence in blocking sexual abuse imagery. The report revealed how criminals used the site to share illegal imagery, which was then accidentally indexed by search engines. TechCrunch’s investigation demonstrated that it’s not just public tech giants who need to be more vigilant about their content.

Airbnb’s weakness on anti-discrimination

Megan Rose Dickey explored a botched case of discrimination policy enforcement by Airbnb when a blind and deaf traveler’s reservation was cancelled because they have a guide dog. Airbnb tried to just “educate” the host who was accused of discrimination instead of levying any real punishment until Dickey’s reporting pushed it to suspend them for a month. The investigation reveals the lengths Airbnb goes to in order to protect its money-generating hosts, and how policy problems could mar its IPO.

Expired emails let terrorists tweet propaganda

Zack Whittaker discovered that Islamic State propaganda was being spread through hijacked Twitter accounts. His investigation revealed that if the email address associated with a Twitter account expired, attackers could re-register it to gain access and then receive password resets sent from Twitter. The article revealed the savvy but not necessarily sophisticated ways terrorist groups are exploiting big tech’s security shortcomings, and identified a dangerous loophole for all sites to close.

Porn & gambling apps slip past Apple

Josh Constine found dozens of pornography and real-money gambling apps had broken Apple’s rules but avoided App Store review by abusing its enterprise certificate program — many based in China. The report revealed the weak and easily defrauded requirements to receive an enterprise certificate. Seven months later, Apple revealed a spike in porn and gambling app takedown requests from China. The investigation could push Apple to tighten its enterprise certificate policies, and proved the company has plenty of its own problems to handle despite CEO Tim Cook’s frequent jabs at the policies of other tech giants.

Bonus: HQ Trivia employees fired for trying to remove CEO

This Game Of Thrones-worthy tale was too intriguing to leave out, even if the impact was more of a warning to all startup executives. Josh Constine’s look inside gaming startup HQ Trivia revealed a saga of employee revolt in response to its CEO’s ineptitude and inaction as the company nose-dived. Employees who organized a petition to the board to remove the CEO were fired, leading to further talent departures and stagnation. The investigation served to remind startup executives that they are responsible to their employees, who can exert power through collective action or their exodus.

If you have a tip for Josh Constine, you can reach him via encrypted Signal or text at (585)750-5674, joshc at TechCrunch dot com, or through Twitter DMs

More than 1 million T-Mobile customers exposed by breach

T-Mobile has confirmed a data breach affecting more than a million of its customers, whose personal data (but no financial or password data) was exposed to a malicious actor. The company alerted the affected customers but did not provide many details in its official account of the hack.

The company said in its disclosure to affected users that its security team had shut down “malicious, unauthorized access” to prepaid data customers. The data exposed appears to have been:

  • Name
  • Billing address
  • Phone number
  • Account number
  • Rate, plan and calling features (such as paying for international calls)

The latter data is considered “customer proprietary network information” and under telecoms regulations they are required to notify customers if it is leaked. The implication seems to be that they might not have done so otherwise. Of course some hacks, even hacks of historic magnitude, go undisclosed sometimes for years.

In this case, however, it seems that T-Mobile has disclosed the hack in a fairly prompt manner, though it provided very few details. When I asked, a T-Mobile representative indicated that “less than 1.5 percent” of customers were affected, which of the company’s approximately 75 million users adds up to somewhat over a million.

The company reports that “we take the security of your information very seriously,” a canard we’ve asked companies to stop saying in these situations.

The T-Mobile representative stated that the attack was discovered in early November and shut down “immediately.” They did not answer other questions I asked, such as whether it was on a public-facing or internal website or database, how long the data was exposed and what specifically the company had done to rectify the problem.

The data listed above is not necessarily highly damaging on its own, but it’s the kind of data with which someone might attempt to steal your identity or take over your account. Account hijacking is a fairly common tactic among cyber-ne’er-do-wells these days and it helps to have details like the target’s plan, home address and so on at one’s fingertips.

If you’re a T-Mobile customer, it may be a good idea to change your password there and check up on your account details.

Chinese spy defects to Australia, alleging election interference and cybercrimes

A purported agent of the Chinese intelligence service is seeking asylum in Australia, bringing with him explosive allegations of widespread interference in political affairs in that country, Taiwan and elsewhere. He claims also to have run a cyberterrorism campaign against supporters of Hong Kong independence.

Wang “William” Liqiang indicated to Australian news outlet The Age that during a deep-cover assignment intended to manipulate the 2020 presidential election in Taiwan, he decided to defect and expose the Chinese networks from abroad.

In addition to The Age, Wang spoke with The Sydney Morning Herald and 60 Minutes; the various outlets appear to be planning a broader release of the contents of his interviews on Monday.

Wang has reportedly explained in detail the inner workings of a Hong Kong-listed company called China Innovation Investment Limited, which the government has allegedly been using as a front to infiltrate various universities, political groups and media companies.

He claims to have personally been involved in the infamous kidnapping of Lee Bo and other booksellers in Hong Kong whose disappearance prompted widespread protests.

He also says that he helped direct a “cyber army” to dox, attack and otherwise harass Hong Kong’s independence protestors, and that he was working on establishing one to affect the 2020 election in Taiwan.

Operations in Australia and other countries were implied but not detailed in initial reports of Wang’s defection. He is reportedly currently at an undisclosed location in Sydney pending formal protections from the Australian government.

More information is expected to be revealed on Monday by the outlets Wang spoke to, so stay tuned.