Home Tags Tumblr

Tag: Tumblr

DMCA “safe harbor” up in the air for online sites that...

Etsy, Kickstarter, Pinterest, and Tumblr say site moderation hangs in the balance.

YouTube, Disney come down hard on PewDiePie after anti-Semitic stunt

YouTube's biggest creator went too far with this $5 joke.

China announces mass shutdown of VPNs that bypass Great Firewall

Ryan McLaughlinreader comments 53 Share this story China’s Ministry of Industry and Information Technology yesterday announced a major crackdown on VPN (virtual private network) services that encrypt Internet traffic and let residents access websites blocked by the country's so-called Great Firewall. The ministry "said that all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal," reported the South China Morning Post, a major newspaper in Hong Kong. China's announcement said the country's Internet service market "has signs of disordered development that requires urgent regulation and governance" and that the crackdown is needed to “strengthen cyberspace information security management," according to the Post. The government said its crackdown would begin immediately and run until March 31, 2018. Numerous Internet users in China rely on VPNs to access sites blocked or censored by the government's Great Firewall, such as Google, YouTube, Facebook, Twitter, Tumblr, Dropbox, The Pirate Bay, The New York Times, The Wall Street Journal, and many others. Apple recently pulled New York Times apps from its Chinese App Store to comply with Chinese regulations. China's tightening of its already strict Internet censorship may be preparation for this autumn's 19th National Congress of the Communist Party of China, at which new party leadership will be elected. Besides the VPN crackdown, China on Saturday shut down "two websites run by a liberal Chinese think tank" and 15 other websites, the Post reported.

Stolen Yahoo User Data Sold for $300K

At least three copies of the collection were bought on the dark Web this summer. The treasure trove of data stolen from Yahoo, a breach made public this week, has actually been for sale on the dark Web for several months, according to Bloomberg. Andr...

DailyMotion Hack Leaks Emails, Passwords of 87M Users

DailyMotion, a popular video sharing website, said Tuesday it recently suffered an “external security problem” resulting in the compromise of an unspecified number of its users’ data. LeakedSource.com, a repository of breached data, added DailyMotion to its list of “Hacked Sites” on Monday.

The site, which operates a subscription service of sorts for leaked data, claims to have information on 87,610,750 users of the video sharing site.

DailyMotion would not confirm how many accounts had been compromised. The stolen data includes users’ email addresses, usernames and encrypted passwords.

The passwords are reportedly encrypted with the bcrypt hashing function, with 10 rounds of rekeying; something that should theoretically make them more difficult to decipher. While that doesn’t make the passwords uncrackable, it does means that doing so could be an arduous process. For security reasons, we advise you to reset your password: https://t.co/DVTGoTB46o — Dailymotion (@DailymotionUSA) December 6, 2016 In a blog post on Tuesday the Paris-based company DailyMotion urged its users to reset their password.

The company called on partners who integrate the video service into their own apps or platforms with OAuth 2.0 authentication to enforce a password reset as well. “The security of your account is very important to us and we take all necessary steps to identify any shortcomings and addressed.

Therefore, as a precaution, we urge all our partners and users to reset now their passwords,” the post reads. As is the case with most early investigations into breaches, it’s unclear exactly how – and when – the breach occurred.
Some reports claim the hack stems from an incident in October. Other reports claim about 20 percent of the leaked usernames, about 18 million, have a password attached. The company did not immediately return requests for comment on Tuesday. DailyMotion receives a fraction of the traffic YouTube gets but is still viewed as as a competitor, at least in the video streaming world.
Vivendi, a French media conglomerate, purchased a 90 percent stake in the 11-year-old company last year. Orange, a French telecommunication firm, owns the other 10 percent. The breach is the latest in a long line of incidents this year.
It was reported last month that 400 million users of Adult FriendFinder, Penthouse.com, and Stripshow.com had data stolen in October. Old and in many instances out of date credentials from social networks such as LinkedIn, Twitter, Myspace, and Tumblr have also found their way onto LeakedSource’s database this year as well. None of those breaches made headlines quite like Yahoo’s admission in September that 500 million customer records were stolen from its network in 2014.
Verizon, who agreed to buy Yahoo’s web assets for $4.83 billion back in July, is still ironing out the details around the sale in wake of the breach.

White House unveils social transition plan for everything from Twitter to...

Enlarge / But what will Trump/Clinton/Stein/Johnson think of the Cubs?reader comments 29 Share this story Twitter officially launched in 2006, but Presidential tweets didn't come into vogue until after Barack Obama took office in 2008.

Today, the account for @POTUS (and the equally blue-check-official @FLOTUS) posts regularly and carries millions of followers.

And just like every other responsibility and privilege associated with the office of president, there's now an official transition plan in place for this, too. Yesterday, the White House published "The Digital Transition: How the Presidential Transition Works in the Social Media Age," essentially outlining the plan for how to preserve the history of presidential social media while ensuring the accounts transition securely and smoothly to President Obama's successor (whether or not they choose to follow in his BlackBerry and then Android footsteps). For the headlining Twitter accounts, all media posted by the Obama administration through @POTUS will transition to a new handle, @POTUS44.

The same will happen for accounts like @FLOTUS, @PressSec, and @VP.

The National Archives and Records Administration (NARA) will maintain these new "44" accounts to preserve the digital record. On January 20, 2017, the newly elected president and his or her administration will then receive access to the @POTUS et al accounts, which will all maintain their current follower counts. The White House notes it will take similar approaches to archive old accounts and provide access to the currently active handles on platforms such as Medium, Tumblr, Instagram, and YouTube.

Due to some combination of timing and digital comfort, the Obama administration embraced these means of communication like none before.

As yesterday's post notes, they were the "first to go live on Facebook from the Oval Office, the first to answer questions from citizens on YouTube, and the first to use a filter on Snapchat." (The White House is also old-school, establishing a presence on things like MySpace and Flickr.) The post doesn't mention anything about 2FA on these accounts or any extra security they may embrace beyond what's available to the rest of us social users.

But the Obama administration does note that they want all this material to be accessible in real-time to anyone who's interested in viewing or using it.

To that end, the post states: We're inviting the American public—from students and data engineers, to artists and researchers—to come up with creative ways to archive this content and make it both useful and available for years to come.

From Twitter bots and art projects to printed books and query tools, we’re open to it all.

The White House will make our social media data available early to people who are interested in building something for the public.

For more information on how to submit an idea, click here.

Netflix reminds password re-users to run a reset

Your! account! has! shown! up! on! a! breach! list! We! can't! imagine! which! one! Netflix has reminded people whose user IDs are circulating in breach-lists to check their security and if necessary reset their passwords. The issue resurfaced late last week, when an Adweek writer posted that he'd received a “reset your password” message: “As part of our regular security monitoring, we discovered that credentials that match your Netflix email address and password were included in a release of email addresses and passwords from a breach at another company.” The streaming giant has been tapping groups of users since June, when KrebsOnSecurity spotted a nearly-identical e-mail in the wild.

At the time, Krebs associated the notice with the LinkedIn, Tumblr and MySpace breaches. Since then, of course, another huge breach came to light – the 500 million credentials swiped from Yahoo!, reported in September. The scale of the Yahoo! breach makes it almost inevitable that password re-users' credentials would turn up on other sites, like Netflix. Netflix confirmed that it's circulating another round of reminders, telling The Register in an e-mail “Some Netflix members have received emails encouraging them to change their account passwords as a precautionary measure due to the recent disclosure of credentials from other internet companies. “This is part of our ongoing, proactive efforts to alert members to potential security risks not associated with Netflix.

There can be a variety of triggers such as username and password breaches at other companies, phishing schemes, and malware attacks.” ®

Security analyst says Yahoo!, Dropbox, LinkedIn, Tumblr all popped by same...

Says five-strong 'Group E' may have lifted a billion Yahoo! records, sells to states Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world's biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials. The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world's largest hacks on "Group E", a small Eastern European hacking outfit that makes cash breaching companies and selling to buyers including nation states. Komarov told The Register the group is behind a laundry list of hacks against massive household tech companies including the breach of Yahoo!, Dropbox, LinkedIn, Tumblr, and VK.com among other public breaches. The analyst says the same hacking group has breached other major tech firms but would not be drawn on revealing the names of the affected companies nor the number of compromised credentials. Komarov has reported those breaches which are not on the public record to police. He goes further and says much of the reporting concerning the Yahoo! breach was inaccurate, and suggests the number of affected credentials could be as high as one billion, double what was reported. Group E had, according to Komarov, breached Yahoo! and sold the massive data haul through a recognised hacker identity who served as a broker. It was then sold to a unnamed nation-state actor group. Komarov's employer InfoArmor says it performed "extensive analysis of collected intelligence" from the Yahoo! hack from different sources to "clarify the motivation and attribution of the key threat actors" concluding "many recent press reports and published articles have significant inaccuracies". Yahoo! last week pinned the breach on a unnamed state actor but did not say if, as Komarov claims, that the group bought the credentials from Group E which conducted the intrusion. The company did not respond to a request for comment by the time of publication. Hacking gangs Group E, For Hell, and broker Tessa88. Mind map by Andrew Komarov. Komarov tells The Register Group E, so called after the first letter of its leader's moniker, broke into sites using a variety of attack vectors. "Web apps vulnerabilities and exploitation, plus network intrusion through infection … [and] direct access to databases and source code," Komarov says. Sites breached by the five-person Group E hacker outfit.
Statistics via Andrew Komarov
Breach company Number of records Yahoo! 500 million (up to 1bn) Myspace 360 million LinkedIn 167 million Vk.com 137 million Qip.ru 133 million Badoo 126 million Dropbox 103 million Rambler.ru 101 million Tumblr 50 million LastFM 43 million Fling.com 40 million Mobango.com 6 million Other combined dumps: 600 million A second group known as "For Hell" used the same broker to sell stolen databases and masterminded other high profile breaches. Komarov says one member known as ROR[RG}) hacked Ashley Madison, Adult Friend Finder, and the Turkish National Police, while a second team mate known as "arnie" or "darkoverlord" conducted breaches of unnamed health care organisations. Komarov, an established threat intelligence man formerly of Intelcrawler before its acquisition by Arizona-based security firm InfoArmor, is one of a handful of cybercrime intelligence analysts who closely monitor closed crime forums and dark web sites. He fingers a Russian-speaking criminal hacking identity known as Tessa88 as the broker used by the two hacking groups. That broker is claimed by hackers including some speaking to Vulture South to be a part-time scammer for selling bogus credentials, although the claims cannot be verified. Komarov says Tessa88 was at pains to mask the identity of the hacking groups when selling the Yahoo! credentials to the nation-state actors.

Yahoo says half a billion accounts breached by nation-sponsored hackers

Photograph by Randy Stewartreader comments 25 Share this story At least half a billion Yahoo accounts have been breached by what investigators believe is a nation-sponsored hacking operation.

Attackers probably gained access to a wealth of holders'...

Half! a! billion! Yahoo! email! accounts! raided! by! ‘state! hackers!’

Email addresses, phone numbers, hashed passwords, DoBs, security Q&As swiped Updated Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users.

And who knew there were that many people using its email? The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted. This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database this summer. "We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor," said Yahoo!'s chief information security officer Bob Lord on Tumblr today. "The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. "Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter." Yahoo! has said it will email all those thought to be affected by the theft and is advising everyone who hasn't changed their passwords in the last two years to do so.
If you've forgotten your password however, you could be out of luck – security questions that Yahoo! was storing in unencrypted format have been deleted from the system. Unlike others, Yahoo! doesn't appear to be offering any kind of credit monitoring service for affected customers, but helpfully includes a link for users to check their own credit records.
It also advises users to be on their guard against unsolicited emails. The statement leaves many questions unanswered.

For example – how many of these email accounts are actually active for a start.
It's difficult to imagine that Yahoo! actually has half a billion active email users and a quick poll around the office shows just over half of Vulture West staff have a Yahoo! account but that none of us have used it in the last year. Yahoo! also fails to point out that the chief benefit to the hackers isn’t going to be their email accounts, but other online identities. People foolishly tend to reuse passwords and security question answers and that's where the main value of the data comes from. The hack is also going to cause consternation at Verizon, which is offering to buy out the ailing portal for $4.8bn. Now that Yahoo! could be facing the mother of all class action suits, Verizon might be rethinking that price. ® Updated to add "Within the last two days, we were notified of Yahoo's security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact," Verizon told The Reg in a statement. "We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment."

Yahoo reportedly to confirm massive data breach

Following reports that Yahoo will confirm a data breach that affects hundreds of millions of accounts, some users reported Thursday on Twitter and elsewhere that they were prompted to change their email password when trying to log in. Yahoo launched an investigation into a possible breach in early August after someone offered to sell a data dump of over 200 million Yahoo accounts on an underground market, including usernames, easy-to-crack password hashes, dates of birth and backup email addresses. The company has since determined that the breach is real and that it's even worse than initially believed, news website Recode reported Thursday, citing unnamed sources familiar with the investigation. While Yahoo has yet to make an announcement and did not immediately respond to a request for comment, the company has prompted some users to reset their passwords in the past 24 hours due to "suspicious activity" on their accounts. The prompt to reset passwords may not be directly linked to the reported data breach.

But a confirmation of the breach now, more than a month and a half after the data was put up for sale, will likely prompt questions as to why the company waited so long before forcing users to change their passwords. "If it really was available then and Yahoo are only confirming it now, I’d be really interested in why the delay was so long," said Troy Hunt, a security researcher who runs the data breach notification website Have I been pwned?. The user who advertised the Yahoo account data on an underground website uses the online handle peace_of_mind and is a well-known seller of stolen information. He has previously put up for sale millions of account records from MySpace, LinkedIn, Tumblr and other websites and for the most part those breaches have been confirmed even though they had actually occurred years earlier. "We saw LinkedIn, MySpace and tumblr [data dumps] all dating back many years yet just appearing for sale now so Yahoo may be consistent with that," Hunt said via email. Given Peace's track record, the researcher said that he wouldn't have been surprised that the data was put up for sale last month if it proved to be authentic, even though some people questioned whether Peace actually had the information at that time. It's odd that no one has managed to obtain a copy of the data set so far and confirmed its authenticity, at least not publicly, especially since Peace is known to drop his price over time. Hunt believes that if this data dump follows the the same pattern as other recent ones, it will turn up in the public domain soon and he will be able to add it to Have I been pwned. A confirmation of the data breach this week would come as Yahoo's US$4.8 billion sale of its core internet operations to Verizon is being finalized; the deal has yet to be approved by regulators.

Over 40 million usernames, passwords from 2012 breach of Last.fm surface

Enlarge / If you haven't changed your password for Last.fm since 2012, it's long past time—the passwords are now easily grabbed from the Internet.reader comments 19 Share this story The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked "mega-breaches" from Tumblr, LinkedIn, and MySpace.

The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012.

But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource. Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide "trending" board for music, letting users learn about new music and share playlists, among other things.

The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account.

The passwords were encrypted with an unsalted MD5 hash. "This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches," a member of LeakedSource wrote in a post about the data.

Ars confirmed the LeakedSource data using our own Last.fm account information. The contents of the database are somewhat representative of where passwords were in 2012 (and possibly still are on many services). Of the 41 million passwords that were successfully extracted, 255,000 of them were "123456." The next most popular password, used by 92,000 users, was "password." LeakedSource said that it has a number of additional "megabreaches" that will be revealed in the next month or so, all harvested from dumps to the Internet. "We have so many databases waiting to be added that if we were to add one per day it would still take multiple years to finish them all," a spokesperson for LeakedSource wrote.