Users complain of account hacks, but OkCupid denies a data breach

It’s bad enough that dating sites are a pit of exaggerations and inevitable disappointment, they’re also a hot target for hackers.

Dating sites aren’t considered the goldmine of personal information like banks or hospitals, but they’re still an intimate part of millions of people’s lives and have long been in the sights of hackers. If the hackers aren’t hitting the back-end database like with the AdultFriendFinder, Ashley Madison, and Zoosk breaches, the hackers are trying break in through the front door with leaked or guessed passwords.

That’s what appears to be happening with some OkCupid accounts.

A reader contacted TechCrunch after his account was hacked. The reader, who did not want to be named, said the hacker broke in and changed his password, locking him out of his account. Worse, they changed his email address on file, preventing him from resetting his password.

OkCupid didn’t send an email to confirm the address change — it just blindly accepted the change.

“Unfortunately, we’re not able to provide any details about accounts not connected to your email address,” said OkCupid’s customer service in response to his complaint, which he forwarded to TechCrunch. Then, the hacker started harassing him strange text messages from his phone number that was lifted from one of his private messages.

It wasn’t an isolated case. We found several cases of people saying their OkCupid account had been hacked.

Another user we spoke to eventually got his account back. “It was quite the battle,” he said. “It was two days of constant damage control until [OkCupid] finally reset the password for me.”

Other users we spoke to had better luck than others in getting their accounts back. One person didn’t bother, he said. Even disabled accounts can be re-enabled if a hacker logs in, some users found.

But several users couldn’t explain how their passwords — unique to OkCupid and not used on any other app or site — were inexplicably obtained.

“There has been no security breach at OkCupid,” said Natalie Sawyer, a spokesperson for OkCupid. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

Even on OkCupid’s own support pages, the company says that account takeovers often happen because someone has an account owner’s login information. “If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach,” says the support page.

That’s describes credential stuffing, a technique of running a vast lists of usernames and passwords against a website to see if a combination lets the hacker in. The easiest, most effective way against credential stuffing is for the user to use a unique password on each site. For companies like OkCupid, the other effective blocker is by allowing users to switch on two-factor authentication.

When asked how OkCupid plans to prevent account hacks in the future, the spokesperson said the company had “no further comment.”

In fact, when we checked, OkCupid was just one of many major dating sites — like Match, PlentyOfFish, Zoosk, Badoo, JDate, and eHarmony — that didn’t use two-factor authentication at all.

As if dating wasn’t tough enough at the best of times, now you have to defend yourself from hackers, too.

Roblox responds to the hack that allowed a child’s avatar to be raped in its game

There’s a special place in Hell for people who think it’s funny to rape a 7-year-old girl’s avatar in an online virtual world designed for children. Yes, that happened. Roblox, a hugely popular online game for kids, was hacked by an individual who subverted the game’s protection systems in order to have customized animations appear. This allowed two male avatars to gang rape a young girl’s avatar on a playground in one of the Roblox games.

The company has now issued an apology to the victim and its community, and says it has determined how the hacker was able to infiltrate its system so it can prevent future incidents.

The mother of the child, whose avatar was the victim of the in-game sexual assault, was nearby when the incident took place. She says her child showed her what was happening on the screen and she took the device away, fortunately shielding her daughter from seeing most of the activity. The mother then captured screenshots of the event in order to warn others.

She described the incident in a public Facebook post that read, in part:

At first, I couldn’t believe what I was seeing. My sweet and innocent daughter’s avatar was being VIOLENTLY GANG-RAPED ON A PLAYGROUND by two males. A female observer approached them and proceeded to jump on her body at the end of the act. Then the 3 characters ran away, leaving my daughter’s avatar laying on her face in the middle of the playground.

Words cannot describe the shock, disgust, and guilt that I am feeling right now, but I’m trying to put those feelings aside so I can get this warning out to others as soon as possible. Thankfully, I was able to take screenshots of what I was witnessing so people will realize just how horrific this experience was. *screenshots in comments for those who can stomach it* Although I was immediately able to shield my daughter from seeing the entire interaction, I am shuddering to think of what kind of damage this image could have on her psyche, as well as any other child that could potentially be exposed to this.

Roblox has since issued a statement about the attack:

Roblox’s mission is to inspire imagination and it is our responsibility to provide a safe and civil platform for play. As safety is our top priority — we have robust systems in place to protect our platform and users. This includes automated technology to track and monitor all communication between our players as well as a large team of moderators who work around the clock to review all the content uploaded into a game and investigate any inappropriate activity. We provide parental controls to empower parents to create the most appropriate experience for their child, and we provide individual users with protective tools, such as the ability to block another player.

The incident involved one bad actor that was able to subvert our protective systems and exploit one instance of a game running on a single server. We have zero tolerance for this behavior and we took immediate action to identify how this individual created the offending action and put safeguards in place to prevent it from happening again. In addition, the offender was identified and permanently banned from the platform. Our work on safety is never-ending and we are committed to ensuring that one individual does not get in the way of the millions of children who come to Roblox to play, create, and imagine.

The timing of the incident is particularly notable for the kids’ gaming platform, which has more than 60 million monthly active users and is now raising up to $150 million to grow its business. The company has been flying under the radar for years, while quietly amassing a large audience of both players and developers who build its virtual worlds. Roblox recently stated that it expects to pay out its content creators $70 million in 2018, which is double that of last year. 

Roblox has a number of built-in controls to guard against bad behavior, including a content filter and a system that has moderators reviewing images, video and audio files before they’re uploaded to Roblox’s site. It also offers parental controls that let parents decide who can chat with their kids, or the ability to turn chat off. And parents can restrict kids under 13 from accessing anything but a curated list of age-appropriate games.

However, Roblox was also in the process of moving some of its older user-generated games to a newer system that’s more secure. The hacked game was one of several that could have been exploited in a similar way.

Since the incident, Roblox had its developers remove all the other potentially vulnerable games and ask their creators to move them over to the newer, more fortified system. Most have done so, and those who have not will not see their games allowed back online until that occurs. The games that are online now are not vulnerable to the exploit the hacker used.

The company responded quickly to take action, in terms of taking the game offline, banning the player and reaching out the mother — who has since agreed to help Roblox get the word out to others about the safeguards parents can use to protect kids in Roblox further.

But the incident raises questions as to whether kids should be playing these sorts of massive multiplayer games at such a young age at all.

Roblox, sadly, is not surprised that someone was interested in a hack like this.

YouTube is filled with videos of Roblox rape hacks and exploits, in fact. The company submits takedown requests to YouTube when videos like this are posted, but YouTube only takes action on a fraction of the requests. (YouTube has its own issues around content moderation.)

It’s long past time for there to be real-world ramifications for in-game assaults that can have lasting psychological consequences on victims, when those victims are children.

Roblox, for its part, is heavily involved in discussions about what can be done, but the issue is complex. COPPA laws prevent Roblox from collecting data on its users, including their personal information, because the law is meant to protect kids’ privacy. But the flip side of this is that Roblox has no way of tracking down hackers like this.

“I think that we’re not the only one pondering the challenges of this. I think every platform company out there is struggling with the same thing,” says Tami Bhaumik, head of marketing and community safety at Roblox.

“We’re members of the Family Online Safety Institute, which is over 30 companies who share best practices around digital citizenship and child safety and all of that,” she continues. “And this is a constant topic of conversation that we all have – in terms of how do we use technology, how do we use A.I. and machine learning? Do we work with the credit card companies to try to verify [users]? How do we get around not violating COPPA regulations?,” says Bhaumik.

“The problem is super complex, and I don’t think anyone involved has solved that yet,” she adds.

One solution could be forcing parents to sign up their kids and add a credit card, which would remain uncharged unless kids broke the rules.

That could dampen user growth to some extent — locking out the under-banked, those hesitant to use their credit cards online and those just generally distrustful of gaming companies and unwanted charges. It would mean kids couldn’t just download the app and play.

But Roblox has the momentum and scale now to lock things down. There’s enough demand for the game that it could create more of a barrier to entry if it chose to, in an effort to better protect users. After all, if players knew they’d be fined (or their parents would be), it would be less attractive to break the rules.

Netflix launches bug bounty program to pay researchers to track down bugs

Netflix announced in a Medium post today that it is opening a public bug bounty program on the Bugcrowd bug bounty platform.

The roots of the company’s bug hunting concept go back to 2013 when Netflix launched what it called a,”responsible vulnerability disclosure program.” The idea continued to develop over the years and they launched a private bug bounty program on Bugcrowd in 2016. They started small with 100 researchers and today at the launch of the public program they have increased that number to 700, according to the blog post.

They report since inception they have been able to solve 145 issues, paying out a variety of bounties with the highest being $15,000. “We have attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in,” the company wrote in the blog post announcing the program.

Netflix is far from alone in running these kinds of programs. Many big organizations like Facebook, Google and many others use bug bounty programs to pay researchers to find security holes on their platforms before black-hat hackers do. The idea is to provide financial incentive to find the bugs, rather than going in and exploiting the vulnerability for personal gain.

There is generally a leader board, so in addition to financial remuneration, the researcher also gets bragging rights and public acclaim for tracking down bugs. And it’s not just traditional tech companies running these programs. General Motors has one running on the HackerOne platform and MasterCard has one on Bugcrowd.

Bugcrowd and other bug bounty platforms like HackerOne provide a way to administer the program, providing a way to recruit researchers, then letting them know which vulnerabilities they are looking for and how much they are willing to pay. To give you a sense of how lucrative these programs can be to hackers, Google released a report last month indicating it paid out almost $3 million in bounties last year with rewards ranging from $500 to $100,000.

Netflix is hoping to attract people who can similarly help them track bugs and keep their systems secure. A bug bounty program is a proven way to achieve that.

HackerOne scores $40 million investment as bug bounty platform growth continues

Hacker working on code For the past several years, HackerOne has been helping customers build bug bounty programs to find vulnerabilities in their software, and today it hauled in a big bounty of its own — a $40 million Series C investment led by Dragoneer Investment Group. Existing investors NEA and Benchmark also participated, as well as a strategic investor the company chose not to disclose. It brings… Read More

Recommendations on cyber security for the 45th president… Use more hackers

New York City - USA - April 27 2016: Republican presidential candidate Donald Trump gestures while speaking to press after his five-state super Tuesday win 2016 was an extraordinary year. A record number of security breaches affected billions of people worldwide, including cyber attacks that dramatically impacted the course of businesses and governments. The Unites States, the world’s most connected nation, and the rest of the world will face a deficit of 1.5 million cyber professionals over the next  five years whose jobs are essential… Read More

Verizon says security breach leads to customer data leak

Verizon sign Mike Mozart Flickr

(Reuters) – Verizon said an attacker had exploited a security vulnerability on its enterprise client portal to steal contact information of a number of customers.

The company said the attacker however did not gain access to Customer Proprietary Network Information (CPNI) or other data.

CPNI is the information that telephone companies collect including the time, date, duration and destination number of each call and the type of network a consumer subscribes to.

Krebs On Security, which first broke the news of the breach, said a member of a underground cybercrime forum had posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.

The seller priced the entire package at $100,000, but offered to sell it off in parts of 100,000 records for $10,000 apiece, Krebs added. (http://bit.ly/1S9C6Kc)

The vulnerability, which was investigated and fixed, did not leak any data on consumer customers, Verizon said in a statement on Thursday.

The company is currently notifying customers impacted by the breach.

(Reporting by Amrutha Penumudi in Bengaluru; Editing by Diane Craft and Cynthia Osterman)

Get more stories like this:  twitter  facebook









Los Angeles hospital paid hackers $17,000 ransom in Bitcoins

The Hollywood Presbyterian Medical Center is pictured in Los Angeles, California February 16, 2016. REUTERS/Mario Anzuoni

(Reuters) – The president of Hollywood Presbyterian Medical Center said on Wednesday that his hospital paid hackers a ransom of $17,000 in bitcoins to regain control of their computer systems after a cyber attack.

Allen Stefanek said in a statement that paying the ransom was the “quickest and most efficient way” of regaining access to the affected systems, which were crippled on Feb. 5 and interfered with hospital staff’s ability to communicate electronically.

Stefanek said there was no evidence that any patient or employee information was accessed in the so-called malware attack, and that the hospital fully restored access to its electronic medical record system this Monday.

“Patient care has not been compromised in any way,” Stefanek said.

Stefanek said the attack locked them out of their systems by encrypting files for which only the hackers had the decryption key. He said the hospital notified law enforcement and computer experts worked feverishly to restore system access and uncover the source.

The origin of the computer network intrusion remains unknown but it bogged down communications between physicians and medical staff who suddenly became had to rely on paper records and doctors’ notoriously messy handwriting, according to doctors and the Federal Bureau of Investigation.

Although the cyber attack snarled the hospital’s patient database, doctors managed to relay necessary medical records the old-fashioned way through phone lines and fax machines, said Dr. Rangasamy Ramanathan, a neonatal-perinatal specialist affiliated with the 434-bed facility.

The FBI and the Los Angeles Police Department are working to pinpoint the hacker or hackers responsible for the intrusion, FBI spokeswoman Laura Eimiller said on Wednesday.

(Reporting by Curtis Skinner in San Francisco; Editing by Sandra Maler)










Trump Tower website suffers outage after Anonymous warning

Trump Tower website

By Angela Moon and Eleanor Whalley

The website for Trump Towers, Donald Trump’s glitzy signature skyscraper in Manhattan, went offline for about an hour on Friday after activist hacking group Anonymous denounced the real-estate mogul and Republican presidential front-runner for his anti-Muslim comments.

The website for 68-story Trump Towers, which Trump often uses for his presidential campaign, was down after Anonymous (@YourAnonNews) announced on Twitter:

“Trump Towers NY site taken down as statement against racism and hatred.www.trumptowerny.com/ (what you see is cloudflare offline backup)”


From VentureBeat
Ready to think outside the (ad) box? We’ve got the secret to successful F2P ad monetization and we’re ready to spill the details – for free. Sign up here.

Earlier this week, the group posted a video on YouTube with a message that read: “Donald Trump think twice before you speak anything. You have been warned Mr. Donald Trump.”

A spokesperson for Trump Towers was not immediately reachable for a comment.

The group’s warning to Trump came days after the outspoken billionaire proposed to temporarily bar Muslims from entering the United States in response to last week’s shooting spree in San Bernardino by two Muslims who the FBI said had been radicalized.

A recent poll by New York Times/CBS News showed Americans are more fearful about the likelihood of another terrorist attack than at any other time since the weeks after Sept 11, 2001. A gnawing sense of dread has helped lift Trump to a new high among Republicans who will vote in primaries to choose their party’s nominee for the November 2016 presidential election.

Anonymous, a loose-knit international network of activist hackers, or “hacktivists,” is famous for launching cyber attacks on groups such as the Islamic State following the attacks in Paris last month that killed 129 people.

(Reporting by Angela Moon in New York and Eleanor Whalley in London; Editing by David Gregorio)










Senate approves major cybersecurity bill; critics say it won’t prevent hacks

hackers

The U.S. Senate easily passed legislation on Tuesday aimed at bolstering the country’s cyber defenses, advancing the first serious attempt in Congress to combat computer hacks that have hit a growing number of businesses and government agencies in recent years.

The bill, which would expand liability protections to companies that choose to voluntarily share cyber-threat data with the government, must be reconciled with two similar information-sharing measures that passed the House of Representatives earlier this year. It cleared the Senate by a vote of 74-21 with strong bipartisan support.

The White House announced support last week for the Senate bill, although it stated a desire for some revisions before it lands on President Barack Obama’s desk.

The Cybersecurity Information Sharing Act, or CISA, is a proposal that languished in the Senate for several years partly because of privacy groups’ concerns it would shuttle more personal information into the hands of the National Security Agency and other government spies.

But business interests, including the Chamber of Commerce, have argued an information-sharing law is necessary to allow the private sector to cooperate more closely with the government on detecting and minimizing cyber threats without fear of lawsuits.

A round of amendments intended to strengthen some of the bill’s privacy protections failed on Tuesday as the bill’s bipartisan sponsors warned last-minute changes could upset the balanced language that was the culmination of years of negotiations.

Skeptics of CISA have said it would do little to prevent malicious breaches like the kind that crippled Sony Pictures last year, which the Obama administration publicly blamed on North Korea, or recent thefts of data from companies like Target, Home Depot or Anthem Insurance.

Even some of the bill’s supporters have conceded the bill is a small first step to shore up U.S. cyber defenses, which are constantly under assault by hacking groups and foreign nation-states like China and Russia, according to government officials.

Senate Democratic leader Harry Reid said on Tuesday that CISA was “far too weak.”

The bill’s passage through the Senate was a defeat for digital privacy activists who celebrated the passage in June of a law effectively ending the NSA’s bulk collection of U.S. call metadata.

The curtailment of that program, which had been exposed in 2013 by former NSA contractor Edward Snowden, represented the first significant restriction of the U.S. government’s intelligence-gathering capabilities since the Sept. 11, 2001, attacks.

(Reporting by Dustin Volz; Editing by Peter Cooney)