A DoorDash Breach Exposes Data of 4.9 Million Customers
Credit to Author: Lily Hay Newman, Andy Greenberg| Date: Sat, 28 Sep 2019 13:00:00 +0000
A NotPetya lawsuit, bricked Mac Pros, and more of the week's top security news.
A whistleblower complaint about a potentially coercive phone call President Donald Trump had in July with Ukrainian president Volodymyr Zelensky led to a congressional hearing and full-on impeachment inquiry this week. At one point in the call, Trump brought up the cybersecurity incident response firm Crowdstrike, indicating that he still doesn't believe the US intelligence community conclusion that Russia hacked the Democratic National Committee and meddled in the 2016 election. Here's a map of all the code connections between Russia's hacker groups, in case you need a quick refresher.
Meanwhile, we walked through the privacy and security settings you should know about in Apple's new iOS 13 mobile operating system, but Apple is still being rocked by game-changing iOS device security revelations. On Friday, a researcher published a rare exploit that can be used to jailbreak almost every iOS device released between 2011 and 2017, namely every iPhone model from 4S to X.
Findings from the Defcon Voting Village show that voting machines currently in use still contain vulnerabilities discovered more than a decade ago. Google apologized on Monday for how it had been handling human review of audio snippets captured by smart speakers and other devices. The cameras in Ring doorbells are capturing small moments that used to go unseen and changing cultural norms. And the internet infrastructure firm Cloudflare relaunched its security-focused VPN after, ahem, a rocky start.
If all of that isn't enough for you, read this excerpt from Edward Snowden's new book Permanent Record to hear, in his own words, why he became a whistleblower.
And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in-depth but which we think you should know about nonetheless. Click on the headlines to read them, and stay safe out there.
DoorDash, a takeout delivery company, confirmed a data breach on Thursday almost five months after it occurred on May 4, and a year after some users started complaining that their accounts had been inexplicably compromised. The company said that the incident exposed data from 4.9 million users, merchants, and delivery workers. Users who made accounts after April 5, 2018 were not affected by the breach. DoorDash said that the incident occurred through a third-party service. The breach compromised names, email addresses, order histories, phone numbers, delivery addresses, and hashed and salted passwords. Hackers also grabbed the last four digits of some user credit cards, but not the complete numbers or card verification values (CVV). Hackers also accessed the last four digits of some merchants' and delivery workers' bank account numbers. The cherry on top is that the hackers also stole the driver's license numbers of about 100,000 delivery workers.
In a September 17 class action lawsuit, first announced in July, FedEx shareholders allege that the company’s executives didn't disclose the full damage wreaked by the 2017 NotPetya cyberattacks and its destabilizing affects on a European acquisition. It further alleges that simultaneously those same executives sold tens of millions of dollars-worth of stock in the company collectively. The NotPetya attacks are the most costly and destructive in history, totaling $10 billion in worldwide damages.
Earlier this month, security firm Volexity revealed that a likely Chinese hacking campaign had used a collection of iOS zero-day exploits—initially revealed by Google's Project Zero research team—to infect the phones of the country's Uyghur minority group. So it comes as little surprise that the same hacking campaign also extended to the other perennial victim of China's hacking and surveillance: Tibetan activists and exiles. The civil society-focused security research group Citizen Lab revealed that a hacking campaign linked to the Uyghur attacks also targeted Tibetans, including the staff of the Dalai Lama, hacking both iOS and Android with one-click attacks delivered in WhatsApp messages that exploited now-patched vulnerabilities in web browsers.
This week, YouTubers dealt with a flood of account takeovers that seem to have particularly targeted creators focused on auto-tuning and car reviews. Dozens of complaints showed up on Twitter and in YouTube support forums after what appears to be a coordinated phishing assault that grabbed users' credentials. After infiltrating accounts, the hackers re-assigned compromised channels to new owners and then changed their custom URL to make it seem like the accounts had been deleted.
Google Keystone, which manages Chrome updates, had a bug this week that could damage the file system on computers running macOS and even cause data corruption. A series of video editors in Hollywood first noticed the issue when their Mac Pros wouldn't boot. Some of the configurations used with third-party graphics cards in Mac Pros made film industry professionals more susceptible to suffer damage from the bug. Google paused rollout of the offending Chrome update until it could provide a fix and instructions for regaining access to the bricked Macs.