DoorDash customers say their accounts have been hacked

Food delivery startup DoorDash has received dozens of complaints from customers who say their accounts have been hacked.

Dozens of people have tweeted at @DoorDash with complaints that their accounts had been improperly accessed and had fraudulent food deliveries charged to their account. In many cases, the hackers changed their email addresses so that the user could not regain access to their account until they contacted customer services. Yet, many said that they never got a response from DoorDash, or if they did, there was no resolution.

Several Reddit threads also point to similar complaints.

DoorDash is now a $4 billion company after raising $250 million last month, and serves more than 1,000 cities across the U.S. and Canada.

After receiving a tip, TechCrunch contacted some of the affected customers.

Four people we spoke to who had tweeted or commented that their accounts had been hacked said that they had used their DoorDash password on other sites. Three people said they weren’t sure if they used their DoorDash password elsewhere.

But six people we spoke to said that their password was unique to DoorDash, and three confirmed they used a complicated password generated by a password manager.

DoorDash said that there has been no data breach and that the likely culprit was credential stuffing, in which hackers take lists of stolen usernames and passwords and try them on other sites that may use the same credentials.

Yet, when asked, DoorDash could not explain how six accounts with unique passwords were breached.

“We do not have any information to suggest that DoorDash has suffered a data breach,” said spokesperson Becky Sosnov in an email to TechCrunch. “To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.”

The victims that we spoke to said they used either the app or the website, or in some cases both. Some were only alerted when their credit cards contacted them about possible fraud.

“Simply makes no sense that so many people randomly had their accounts infiltrated for so much money at the same time,” said one victim.

If, as DoorDash claims, credential stuffing is the culprit, we asked if the company would improve its password policy, which currently only requires a minimum of eight characters. We found in our testing that a new user could enter “password” or “12345678” as their password — which have for years ranked in the top five worst passwords.

The company also would not say if it plans to roll out countermeasures to prevent credential stuffing, like two-factor authentication.

A new CSS-based web attack will crash and restart your iPhone

A security researcher has found a new way to crash and restart any iPhone — with just a few lines of code.

Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code which, if visited, will crash and restart an iPhone or iPad. Those on macOS may also see Safari freeze when opening the link.

The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use, Haddouche told TechCrunch. He explained that nesting a ton of elements — such as <div> tags — inside a backdrop filter property in CSS, you can use up all of the device’s resources and cause a kernel panic, which shuts down and restarts the operating system to prevent damage.

“Anything that renders HTML on iOS is affected,” he said. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email, he warned.

TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone. Thomas Reed, director of Mac & Mobile at security firm Malwarebytes confirmed that  the most recent iOS 12 beta also froze when tapping the link.

The lucky whose devices won’t crash may just see their device restart (or “respring”) the user interface instead.

For those curious, you can see how it works without it running the crash-inducing code.

The good news is that as annoying as this attack is, it can’t be used to run malicious code, he said, meaning malware can’t run and data can’t be stolen using this attack. But there’s no easy way to prevent the attack from working. One tap on a booby-trapped link sent in a message or opening an HTML email that renders the code can crash the device instantly.

Haddouche contacted Apple on Friday about the attack, which is said to be investigating. A spokesperson did not immediately respond to a request for comment.

Attempted DNC voter database hack was a false alarm, security chief says

An apparent hacking attempt on the Democratic National Committee’s voter database was a false alarm, the organization has said.

CNN and the Associated Press reported on Wednesday, citing an unnamed party official, that the political organization was warned of an attempt on its systems. DNC officials contacted the FBI after Lookout, a security firm, detected and reported a phishing page that replicated a login page for NGP VAN, a technology provider for Democratic campaigns.

But the party’s security chief quickly reversed its position Thursday, confirming that the phishing page was “simulated.”

“The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC… or any of our vendors,” said Bob Lord, DNC’s chief security officer, in a statement.

Just a day earlier, he briefed Democratic officials on the apparent incident in Chicago on Wednesday.

It’s believed that the Michigan Democratic Party asked a third party to conduct the test without clearance or authorization from the DNC, according to one reporter.

In the case of phishing attacks, hackers attempt to obtain the username and password for sensitive internal systems by tricking staff into entering their credentials on spoofed sites. Hackers can then reuse those credentials to log in themselves.

Mike Murray, Lookout’s vice president of security intelligence who originally informed the DNC of the phishing page, said in a tweet that, “you don’t know that they’re false until you’ve showed up to investigate.”

It’s not uncommon for political parties to store vast amounts of information on voters. Political parties and national committees often use the data to target voters with political messaging.

In recent years, several voter databases have leaked or were exposed on unprotected servers for anyone to find.

Earlier this week, Microsoft said it thwarted an attempt by a Russian-backed advanced persistent threat group known as Fancy Bear (or APT28) to steal data from political organizations.

Updated on August 23: with new information from the DNC. This story and its headline have been updated.

FCC admits it was never actually hacked

The FCC has come clean on the fact that a purported hack of its comment system last year never actually took place, after a report from its Inspector General found a lack of evidence supporting the idea. Chairman Ajit Pai blamed the former Chief Information Officer and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

The semi-apology and finger-pointing are a disappointing conclusion to the year-long web of obfuscation that the FCC has woven. Since the first moment it was reported that there was a hack of the system, there have been questions about the nature, scale, and response to it that the FCC has studiously avoided even under direct Congressional questioning.

It was so galling to everyone looking for answers that the GAO was officially asked to look into it. The letter requesting the office’s help at the the time complained that the FCC “not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems.” That investigation is still going on, but one conducted by the FCC’s own OIG resulted in the report Pai cites.

The former CIO, David Bray, was the origin of the theory, but emails obtained by American Oversight in June show that evidence for it and a similar claim from 2014 were worryingly thin. Nevertheless, the FCC has continuously upheld the idea that it was under attack and has never publicly walked it back.

Pai’s statement was issued before the OIG publicized its report, as one does when a report is imminent that essentially says your agency has been clueless at best or deliberately untruthful at worst, and for over a year. To be clear, the report is still unpublished, though its broader conclusions are clear from Pai’s statement. In it he slathers Bray with the partisan brush and asserts that the report exonerates his office.

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.

On the other hand, I’m pleased that this report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes.

Although an evaluation Pai’s “conspiracy theory” idea must wait until the report is public, it’s hard to square this pleasure of the Chairman’s with the record. At any time in the last year, especially after Bray had departed, it would have been, if not simple, then at least more simple than maintaining its complex act of knowledgelessness, to say that the CIO had made an error and there was no attack. Nothing like that has escaped the mouth of Chairman Pai.

One must assume the agency had reviewed the data. Bray left a long time ago; why did these subordinates of his fail to speak out afterwards? If the FCC had its doubts, why did it not say so instead of risking withering criticism by avoiding the question for months on end?

Some of the FCC’s reticence to speak out may have even been explained as part of the request by the Inspector General not to discuss the investigation. That’s an easy out, at least for some of the time! But we haven’t heard that, that I know of at least, and it doesn’t explain the rest of the agency’s silence or misleading statements.

FCC Commissioner Jessica Rosenworcel urged everyone to move on with a quickness:

The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus. What happened instead is obvious—millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.

Although moving forward is a good idea, accountability and an explanation for the last year of mystery would also be welcome.

Since it wasn’t a hack, it seems that the comment filing system, though recently revamped, needs yet another fresh coat of paint to handle the kind of volume it saw during the net neutrality repeal. Plans for that are underway, Pai wrote. A separate investigation by the Government Accountability Office regarding fraud in the comment system will no doubt affect those plans.

I’ve contacted the FCC and its Office of the Inspector general for more information, including the report itself. I will update this post when I hear back.

Virus shuts down factories of major iPhone component manufacturer TSMC

Apple touts the cybersecurity of its iPhone, but less can be said for the exclusive manufacturer who makes the processor for the iPhone.

Semiconductor foundry TSMC, or Taiwan Semiconductor Manufacturing Company, was hit by a virus late Friday night, which forced it to shut down several factories according to Debbie Wu at Bloomberg. The virus and the shutdown were confirmed by TSMC representatives.

It is not clear at this time which factories were hit, or whether those factories were producing the iPhone’s main processor. Apple is expected to unveil new iPhones this fall, and supply chain disruptions in the critical month of August could have significant adverse consequences for the rapid availability of the new phone before the key Christmas holiday.

TSMC has grown to become the largest independent semiconductor foundry in the world, with profits last year of $11.6 billion. The company has benefitted from partnerships with smartphone companies like Apple, which produces the designs for its own A-series chips and then contracts out their manufacturing to foundries.

TSMC is a critical partner for the launch of the new iPhone. It announced earlier this year that it had begun volume production of 7mm chips, which will drive performance while limiting energy usage.

The origins of the virus are not known, although a statement by the company to Bloomberg said that it wasn’t introduced by a hacker.

Cyberattacks are nothing new to the island nation, which has increasingly faced sophisticated cyberattacks, mostly originating from China, which holds deep antipathy for Taiwan’s president Tsai Ing-wen. Taiwan’s government websites have sustained 20 million cyberattacks per month, with the bulk believed to be originating from China. Jess Macy Yu at Reuters reported earlier this summer that Chinese cyberattacks had grown more successful, even as their total volume has declined. Taiwan’s local elections will be held later this year in November, and the number and intensity of attacks is expected to increase as the date approaches.

Alongside Foxconn, TSMC is one of Taiwan’s most important and profitable companies, and is an obvious target both due to its wealth and scale, as well as its centrality in the increasingly fraught cross-straight relations between China and Taiwan. China has made becoming the world leader in semiconductors a national priority, and companies like TSMC are deeply competitive with mainland foundries.

That’s the paranoid context for many tech executives in Taiwan, and while the culprit of this particular virus is not yet publicly known, eyes and fingers are already beginning to point in one direction.

More information about the attack is expected to be available next week.

Idaho inmates hacked prison-issued tablets for $225,000 in credits

Inmates in Idaho successfully hacked the software of the prison-issued tablets to issue themselves nearly a quarter of a million dollars in credits on the devices that are often one of their only connections to the outside world. The tablets, made by prominent prison vendor JPay, give inmates the ability to use email, listen to music and transfer money, among other basic computing functions, but charge fees for some services.

The Associated Press reports that Idaho prison officials discovered 364 inmates leveraging a software vulnerability to increase their JPay account balances. In Idaho, the devices are the result of a partnership between JPay and CenturyLink. The latter company confirmed the software vulnerability but declined to offer further details beyond stating that it had since been resolved.

Of the 364 inmates exploiting JPay, 50 inmates were able to issue themselves credits for more than $1,000. One inmate was able to use the software flaw to self-issue a credit of almost $10,000. The company has recovered about a quarter of the total of around $225,000 so far and has suspended some functions for inmates until they reimburse the stolen credits.

“This conduct was intentional, not accidental. It required a knowledge of the JPay system and multiple actions by every inmate who exploited the system’s vulnerability to improperly credit their account,” Idaho Department of Correction spokesperson Jeff Ray said in a statement on the JPay incident.

The individuals exploiting the JPay system are incarcerated at a handful of Idaho prisons, including Idaho State Correctional Institution, Idaho State Correctional Center, South Idaho Correctional Institution, Idaho Correctional Institution-Orofino and a private Correctional Alternative Placement Plan building.

On its website, JPay describes itself as a “highly trusted name in corrections because we offer a fast and secure method of sending money,” which seems up for debate given the recent turn of events. The company has a presence in prisons across 35 states.

Department of Justice indicts 12 Russian intelligence officers for Clinton email hacks

Just days before President Trump is set to meet with Russian President Vladimir Putin, the Department of Justice has leveled new charges against 12 Russian intelligence officers who allegedly hacked the Democratic National Committee and the presidential campaign of Hillary Clinton .

The charges were released by Rod J. Rosenstein, the deputy attorney general who’s leading the investigation into Russian election tampering because of the recusal of Attorney General Jeff Sessions from the investigation.

In January of last year, the intelligence community issued a joint statement affirming that Russia had indeed tampered with the U.S. presidential elections in 2016.

Russian Election Interference

Now the investigation is beginning to release indictments. Three former campaign aides for the president’s campaign have already pleaded guilty, and the president himself is under investigation by Special Investigator Robert Mueller for potential obstruction of justice.

According to the indictment, the Russians used spearphishing attacks to gain access to the network of the Democratic National Committee and the Democratic Congressional Campaign Committee.

Rosenstein also said that Russia’s military intelligence service was behind the leaks that distributed the information online under the aliases Guccifer 2.0 and DCLeaks.

Read the full indictment below.

 

Timehop discloses July 4 data breach affecting 21 million

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users. Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.”

It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.

That’s very clearly a major security failure — but one Timehop does not explicitly explain, writing only that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was more than one vulnerable account for attackers to target.

Its exec team will certainly have questions to answer about why multifactor authentication was not universally enforced for all its cloud accounts.

For now, by way of explanation, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.” Which does have a distinct ‘stable door being locked after the horse has bolted’ feel to it.

It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident response to trigger a “more pervasive” security overhaul.

Also not entirely clear from Timehop’s blog post: When/if affected users were notified their information has been breached.

The company posed the blog post disclosing the security breach to its Twitter account on July 8. But prior to that its Twitter account was only noting that some “unscheduled maintenance” might be causing problems for users accessing the app…

We’ve reached out to the company with questions and will update this post with any response.

Timehop does say that at the same time as it was working to shut down the attack and tighten up its security, company executives contacted local and federal law enforcement officials — presumably to report the breach.

Breach reporting requirements are baked into Europe’s recently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities — and to do so quickly — with the regulation setting a universal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in “a risk to the rights and freedoms of natural persons”).

Referencing GDPR, Timehop writes: “Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”

The company also writes that it has engaged the services of an (unnamed) cyber threat intelligence company to look for evidence of use of the email addresses, phone numbers, and names of users being posted or used online and on the Dark Web — saying that “while none have appeared to date, it is a high likelihood that they will soon appear”.

Timehop users who are worried the network intrusion and data breach might have impact their “Streak” — aka the number Timehop displays to denote how many consecutive days they have opened the app — are being reassured by the company that “we will ensure all Streaks remain unaffected by this event”.

Hackers took over the Gentoo Linux GitHub repository

Popular Linux distribution Gentoo has been “totally pwned” according to researchers at Sophos, and none of the current code can be trusted. The team immediately posted an update and noted that none of the real code has been compromised. However, they have pulled the GitHub repository until they can upload a fresh copy of the unadulterated code.

“Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the GitHub Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised,” wrote Gentoo administrators. “This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.”

None of the code is permanently damaged because the Gentoo admins kept their own copy of the code. Gentoo stated that the compromised code could contain malware and bugs and that users should avoid the GitHub version until it is reinstated.

“The Gentoo Infrastructure team have identified the ingress point, and locked out the compromised account,” wrote the admins. “Three Github repositories containing the Gentoo code, Musl, and systemd. All of these repositories are being “reset back to a known good state.”

Bank says Ticketmaster knew of breach months before taking action

Ticketmaster UK announced on its site yesterday that it identified malicious malware on June 23rd that had affected nearly five percent of their customers, allowing an unknown third-party access to customers’ names, email addresses, telephone numbers, payment details and login information between February 2017 and June 23rd, 2018.

The company says the breach can be traced back to an AI chat bot it uses to help answer customers’ questions when a live staff member is unavailable. The software’s designer, Inbenta, confirmed that the malware had taken advantage of one piece of JavaScript that was written specially for Ticketmaster’s use of the chat bot.

However, both companies have confirmed that as of June 26th the vulnerability has been resolved. In its statement, Ticketmaster told customers that affected accounts had been contacted and were offered a free 12-month identity monitoring service as a consolation as soon as the company became aware of the breach.

But, according to U.K. digital bank Monzo, Ticketmaster was informed of the breach in April.

In a statement released by its Financial Crime team today, Monzo describes the events from its perspective. On April 6th, the bank began to notice a pattern of fraudulent transactions on cards that had been previously used at Ticketmaster. Out of 50 fraud reports the bank received that day, 70 percent of cards had made transactions on Ticketmaster in the last several months.

“This seemed unusual, as overall only 0.8% of all our customers had used Ticketmaster,” said Natasha Vernier, head of Financial Crime at Monzo, in the statement.

On April 12th, Monzo says it expressed its concerns directly to Ticketmaster and that the company said it would “investigate internally.” In the week to follow, Monzo received several more Ticketmaster-related fraud alerts and made the decision to replace roughly 6,000 compromised cards over the course of April 19th and 20th, without mentioning Ticketmaster.

During that same period, Ticketmaster told Monzo that its completed internal investigation had shown no evidence of a breach.

This puts Ticketmaster in an awkward position, because under the 2018 General Data Protection Regulations (GDPR), companies are required to report information of a breach within 72 hours. Not 76 days. It’s uncertain, based on the timeline of events, if Ticketmaster will be held to these standards or the now-overturned 1998 standards, but either way the water is starting to heat up around the ticket dealer.

We’ve reached out to Ticketmaster for comment but the company did not reply by the time of publication.