Category Archives: Hacker

23andMe Says Is Aware Of User Data Leak



Hacker by Toqfiqu barbhuiya on Unsplash small23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack, Bleeping Computer reported.

23andMe is a U.S. biotechnology and genomics firm offering genetic testing services to customers who send a saliva sample to its labs and get back an ancestry and genetic predispositions report.

Recently, a threat actor leaked samples of data that was allegedly stolen from a genetics firm and, a few days later, offered to sell data packs belonging to 23andMe customers.

The initial attack was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.

A23andMe spokesperson confirmed that the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts, stated 23andMe’s spokesperson.

“We do not have any indication at this time that there has been a data security incident within our systems.”

“Rather, the preliminary results of this investigation suggest that the login credentials used in these access attempts may have been gathered by a threat actor from data leaked during incidents involving other online platforms where users have recycled login credentials.”

The Record reported a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

The company later said that it was aware that certain 23andMe customer profile information was complied through unauthorized access to individual accounts that were signed up for the DNA Relative feature – which allows users to opt in for the company to show them potential matches for relatives.

According to The Record, a researcher downloaded two files from the BreachForums post and found one that had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user had opted into 23andMe’s health data.

Engadget reported a data scraping incident resulted in hackers gaining access to sensitive user information and selling it on the dark web.

The information of nearly 7 million 23andMe users was offered for sale on a cybercriminal forum this week. The information included origin estimation, phenotype, health information, photos, identification data and more. 23andMe processes saliva samples submitted by customers to determine their ancestry.

The company later said that it was aware that certain 23andMe customer profile information was complied through unauthorized access to individual accounts that were signed up for the DNA Relative feature – which allows users to opt in for the company to show them potential matches for relatives.

According to The Record, a researcher downloaded two files from the BreachForums post and found one that had information on 1 million 23andMe users of Ashkenazi heritage. The other file included data on more than 300,000 users of Chinese heritage.

The data included profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user had opted into 23andMe’s health data.

Personally, I don’t have any interest in submitting my DNA to any genetics company. That said, I find it extremely troubling that the hackers sought out data from Ashkenazi people and people of Chinese heritage who used 23andMe.


Info From Dozens Of Companies Compromised By CLOP



More victims have emerged of a Russian-speaking cybercrime group whose recent spree includes stealing information from several federal U.S. agencies, NBC News reported.

The BBC, Shell, Johns Hopkins Health System, British Airways, the state of Illinois, and the department of motor vehicles of Oregon and Louisiana all appear to have had their files stolen, according to various news releases.

The group, CLOP, is an established ransomware group, a type of organized cybercrime where hackers try to remotely extort victims by either remotely encrypting their data or stealing and threatening to publish files.

On Thursday, the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency that advises the nation on cyberattacks and helps protect federal networks, said that multiple agencies had been affected by CLOP’s recent spree. Only the Department of Energy has said so far that it is a victim.

According to NBC News, CLOP appears to have struck gold by identifying a flaw in MOVEIt, a computer program designed to help companies transfer files. Organizations using an outdated version of MOVEIt are susceptible to an attack where CLOP can scoop up files.

The Guardian reported that personal details of every holder of a driver’s license from the U.S state of Louisiana were exposed to hackers who have pulled off a colossal cyber-attack that also affected American federal agencies, British Airways and the BBC, according to officials.

A statement on Thursday from the governor of Louisiana, John Bel Edwards, said that his staff believes everyone with a driver’s license, identification card or car registration issued by the state of more than 4.6 million residents probably had their names, addresses, and social security numbers exposed to the hackers.

Other personal information to which the cyber-attackers apparently were Louisianans’ driver’s license numbers, vehicle registration data, handicap placard information, birthdates, heights and eye colors, Edward’s statement said.

The number of records involved is thought to be about 6 million, Louisiana’s homeland security and emergency preparedness director Casey Tingle, told reporters Friday.

According to The Guardian, British Airways last week confirmed that its staffers’ names, addresses, national insurance numbers and banking details were exposed because its payroll provider Zellis used MOVEIt. The BBC said its staff had also been afflicted because Zellis was its payroll provider, though the broad caster added that it did not believe banking details were compromised. The UK’s beauty and health companyBoots said some of its team members’ information was also stolen.

CNN reported that hundreds of organizations across the globe have likely had their data exposed after the hackers used the flaw to break into networks in recent weeks. Multiple US federal agencies, including the Department of Energy, were breached. The US Office of Personnel Management was also impacted by the sweeping hack, multiple sources told CNN on Friday.

In my opinion, now would be a good time for companies organizations who use MOVEIt to stop using it. Find a more secure way to manage sensitive data by putting it in a place where it cannot be easily accessed by ne’er-do-wells.


Experts Warn of New Spyware Threat Targeting Journalists



Security experts have warned about the emergence of previously unknown spyware with hacking abilities comparable to NSO Group’s Pegasus that has already been used by clients to target journalists, political opposition figures, and an employee of an NGO, The Guardian reported. 

Researchers at the Citizen Lab at the University of Toronto’s Munk School said the spyware, which is made by an Israeli company called QuaDream, infected some victim’s phones by sending an iCloud calendar invite to mobile users from operators of the spyware, who are likely to be government clients. Victims were not notified of the calendar invitations because they were sent for events logged in the past, making them invisible to the targets of the hacking. Such attacks are known as “zero-click” because users of the mobile phone do not have to click on any malicious link or take any action in order to be infected.

According to the Citizen Lab report, the hacking tool is marketed by QuaDream under the name Reign. The hacking attacks that have been discovered occurred between 2019 and 2021.

The research underscores that, even as NSO Group, the maker of one of the world’s most sophisticated cyber weapons, has faced intense scrutiny and been blacklisted by the Biden administration, probably curtailing its access to new customers, the threat posed by similar and highly sophisticated hacking tools continue to proliferate.

Microsoft posted information titled: “Standing up for democratic values and protecting stability of cyberspace: Principles to limit the threats posed by cyber mercenaries”. From the information:

The explosive growth of private “cyber mercenary” companies poses a threat to democracy and human rights around the world. Cyber mercenaries – private companies dedicated to developing, selling, and supporting offensive cyber capabilities that enable their clients to spy on the networks, computers, phones, or internet-connected devices of their targets – are are real cause for concern. These tools have been used to target elections, journalists, and human rights defenders and are increasingly accessible on the open market, enabling malicious actors to undermine our key democratic institutions.

At Microsoft, we believe that digital technology has incredible potential to improve lives across the world, support democracy, and protect and promote human rights. That is why, at the second Summit for Democracy, we were proud to join the international coalition of over 150 companies that make up the Cybersecurity Tech Accord individually and collectively pushing back on the cyber mercenary market by committing to a set of industry principles. 

Our collective commitment to limiting the threats posed by cyber mercenaries:

  • Take steps to counter cyber mercenaries’ use of products and services to harm people;
  • Identify ways to actively counter the cyber mercenary market;
  • Invest in cybersecurity awareness of customers, users, and the general public;
  • Protect customers and users by maintaining the integrity and security of products and services;
  • Develop processes for handling valid legal request for information.

Personally, I don’t see why cyber mercenaries need to exist at all. These groups do not have the right to hack into other people’s phones. If you haven’t updated your iOS devices in a while – now is a great time to do it.


Biden Restricts Use of Commercial Hacking Tools By U.S. Agencies



President Biden restricted the use of commercial hacking tools throughout the federal government as officials believed high-powered spyware had compromised devices belonging to at least 50 U.S. personnel working overseas, The Wall Street Journal reported.

Mr. Biden signed an executive order that imposes rules limiting the acquisition and deployment of hacking tools from vendors who’s products have been linked to human-rights abuses or are deemed to pose counterintelligence or national security risks to the U.S. It also limits the purchasing of tools if they are sold to foreign governments considered to have poor records on human rights, The Wall Street Journal also reported.

The “Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that Poses Risks to National Security” was signed by President Biden on March 27, 2023. Here are some key points from the Executive Order:

…Technology is central to the future of our national security, economy, and democracy. The United States has fundamental national security and foreign policy interests in (1) ensuring that technology is developed, deployed, and governed in accordance with universal human rights; the rule of law; and appropriate legal authorization, safeguards, and oversight, such that it supports, and does not undermine, democracy, civil rights and civil liberties, and public safety; and (2) mitigating, to the greatest extent possible, the risk emerging technologies may pose to the United States Government institutions, personnel, information, and information systems.

To advance these interests, the United States supports the development of an international technology ecosystem that protects the integrity of international standards development; enables and promotes the free flow of data and ideas with trust; protects our security, privacy, and human rights, and enhances our economic competitiveness.

The growing exploitation of Americans’ sensitive data and improper use of surveillance technology, including commercial spyware, threatens the development of this ecosystem. Foreign governments and persons have deployed commercial spyware against United States Government institutions, personnel, information, and information systems, presenting significant counterintelligence and security risks to the United States Government.

…Therefore, I hereby establish as the policy of the United States Government that it shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person…

The New York Times reported that the tools in question, known as commercial spyware, give governments the power to hack the mobile phones of private citizens, extracting data and tracking their movements. The global market for their use is booming, and some U.S. government agencies have studied or deployed the technology.

According to The New York Times, the executive order prohibits federal government departments and agencies from using commercial spyware that might be abused by foreign governments, could target Americans overseas, or could pose security risks if installed on U.S. government networks. The order covers only spyware developed and sold by commercial entities, not tools built by American intelligence agencies.

I think it is very clear that people don’t want to be spied upon through their phones. It makes sense for President Biden to prohibit the use of government spyware that poses risks.


Hacking Forum Shuts Down After Administrator Gets Arrested



Last week, the FBI arrested a man alleged to be “Pompompurin,” the administrator of the infamous and popular BreachForums, TechCrunch reported. Days after the arrest, the cybercrime website’s new administrator announced that they are shutting down the forum for good.

“Please consider this the final update for Breached,” the new admin, known as “Baphomet,” wrote in the official Telegram channel. “I will be taking down the forum, as I believe we can assume that nothing is safe anymore. I know that everyone wants the forum up, but there is no value in short term gain for what will likely be a long term loss by propping up Breached as it is.”

The new administrator Baphomet did not respond to TechCrunch’s request for comment.

According to TechCrunch, the apparent end of BreachForums comes roughly a year after a coalition of international law enforcement agencies led by the U.S. Department of Justice seized RaidForums, another notorious cybercrime forum where hacked databases would be advertised and sold. BreachForums was born in the aftermath of RaidForums’ demise, and served pretty much the same purpose and audience.

The Record reported that a hacker going by the name “Baphomet” initially said they were working through an emergency plan for the forum after the arrest of 21-year-old Conor Brian Fitzpatrick at his home last Wednesday. In court documents, Fitzpatrick is alleged to be the hacker known as pompompurin – the leading administrator of BreachForums.

The Record also reported an update was posted on Tuesday, the new administrator taking over BreachForums said they now plan to shut down the platform entirely.

Baphomet wrote that someone was able to access the backend of the platform through pompompurin’s account on Sunday afternoon, leading them to believe law enforcement may have access to the site’s source code and information about the forum’s users.

According to The Record, Bahomet wrote: “This will be my final update on Breached, as I’ve decided to shut it down. I’m aware this news will not please anyone, but its the only safe decision now that I’ve confirmed that the glowies likely have access to Poms machine,” the hacker said.

The Record also reported that BreachForums became the go-to site for cybercriminals stolen data and market troves of information leaked during hacks and attacks. The forum was most recently in the news after hackers posted data stolen from Washington, D.C’s healthcare exchange platform on the site, including the sensitive information of Congress members and staff.

CNBC reported on March 21, at least 17 current or former members of Congress had personal information exposed in the hack of the District of Columbia health insurance data system, according to a top Democrat investigating the matter. And that number is expected to rise, he said. According to multiple reports, the breach might have impacted more than 56,000 people.

In my opinion, hackers cause problems for everyone – including themselves. They run the risk of going to jail due to their decision to grab data that does not belong to them. It is good that BreachForums is going down.


Uber Investigating Breach Of Its Computer Systems



Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack, The New York Times reported.

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

According to The New York Times, an Uber spokesman said the company was investigating the breach and contacting law enforcement officials. Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

Uber tweeted on September 15, 2022: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

The Verge reported that the alleged hacker, who claims to be an 18-year-old, says they have administrator access to company tools including Amazon Web Services and Google Cloud Platform.

When contacted by The Verge for comment, a spokesperson for Uber declined to answer additional questions, and pointed to its statement on Twitter.

The Washington Post reported that after the hacker posted a message on Uber’s Slack, it was followed by a flurry of reaction emoji, including several dozen showing what appeared to be a siren symbols. Because of the hack, people said, some systems including Slack and internal tools had been temporarily disabled.

The Washington Post obtained internal screenshots that showed the hacker claiming to have wide-ranging access inside Uber’s corporate networks and appeared to indicate the hacker was motivated by the company’s treatment of its drivers. The person claimed to have taken data from common software used by Uber employees to write new programs.

According to The Washington Post, the hacker’s ominous posts were met with reactions apparently depicting the SpongeBob character Mr. Krabs, the popular “It’s Happening” GIF and queries as to whether the situation was a prank.

The Wall Street Journal reported that a hacker, identified only by the Telegram handle Tea Pot, gained control of Uber’s account with HackerOne, a firm that helps companies work with security researchers, according to the company and researchers on their platform. The hacker provided security researchers with screenshots that appeared to show widespread access to a range of administrative accounts that manage Uber’s technology systems, including the Amazon Web Services and Google clouds, as well as VMware systems, the researchers said.

Other than the HackerOne account compromise, The Wall Street Journal couldn’t verify Tea Pot’s other claims.

At the time I am writing this post, Uber has not provided any updates on their Twitter account. Perhaps they will later today. That said, if you were planning to go somewhere via Uber today – there’s a good chance that you won’t be able to obtain a ride from the company’s drivers. Consider Lyft or the local bus service wherever you are.


Europol Announced the Arrest of Two Ransomware Hackers



Eurpol announced in a press release that a coordinated strike between several law enforcement agencies resulted in the arrest in Ukraine of “two prolific ransomware operators known for their extortionate demands (between €5 and €70 million)”.

The law enforcement groups involved included the French National Gendarmerie, the Ukranian National Police Force, and the United States Federal Bureau of Investigation, with the coordination of Europol and INTERPOL.

According to Europol, the results of this included: 2 arrests and 7 property searches; seizure of US $375,000 in cash; seizure of two luxury vehicles worth €217,000 and asset freezing of $1.3 million in cryptocurrencies.

From the Europol press release:

The organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting they files.

They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met.

The Record reported the arrests of the two members of a ransomware gang took place on September 28, in Kyiv, Ukraine’s capital. Of the two suspects who were arrested, one is a 25-year-old believed to be a crucial member of a large ransomware operation.

The names of the two suspects who were arrested have not been released. The Record reported that officials declined to name the suspect’s affiliation to any particular ransomware gang, citing an ongoing investigation. That information came from a Europol spokesperson.

It seems to me that this investigation is just beginning, and that Europol (and the rest of the assisting law enforcement agencies) are intending to continue their efforts. If the agencies are able to determine who else was involved in these crimes, I hope that those people face whatever legal consequences are appropriate.