Marquis said ransomware hackers stole reams of banking customer data, containing personal information and financial records, as well as Social Security numbers, belonging to hundreds of thousands of people. The number of affected people is expected to rise.

We sent over a dozen questions to Mixpanel's CEO about the company's data breach. Here's what we want to know.

Three London councils reported disruption, prompting officials to shut down phone lines and networks and activate emergency plans.

DOGE members are reportedly worried that they could face prosecution for some of their activities conducted while under the leadership of Elon Musk.

U.S. banking giants including JPMorgan Chase, Citi, and Morgan Stanley are working to identify what data was stolen in a recent cyberattack on a New York financial firm.

Cybersecurity giant CrowdStrike denied it had been hacked following claims from a hacker group, which leaked screenshots from inside CrowdStrike's network.

Two Trump-appointed FCC officials voted to undo the telecom industry's cybersecurity rules. One Democratic commissioner dissented, saying the decision leaves the United States "less safe" at a time when threats are increasing.

The newly imposed sanctions target Russian-based web host Media Land, which officials say are linked to LockBit and BlackSuit ransomware attacks.

Ring, the video doorbell maker dubbed the “largest civilian surveillance network the U.S. has ever seen,” is rolling out new but long overdue security and privacy features. The Amazon-owned company’s reputation was bruised after a spate of account breaches in late 2019, in which hackers broke into Ring user accounts and harassed children in their own […]

A security flaw in a website run by the government of West Bengal in India exposed the lab results of at least hundreds of thousands of residents, though likely millions, who took a COVID-19 test. The website is part of the West Bengal government’s mass coronavirus testing program. Once a COVID-19 test result is ready, […]

Now we're making it easier and more secure for you to contact our reporters and editors.

Two days ago, about $1 billion worth of bitcoin that had sat dormant since the seizure of the Silk Road marketplace in 2013, one of the biggest underground drug websites on the dark web, suddenly changed hands. Who took it? Mystery over. It was the U.S. government. In a statement Thursday, the Justice Department confirmed […]

One of the most active and notorious data-stealing ransomware groups, Maze, says it is “officially closed.”

The announcement came as a waffling statement, riddled with spelling mistakes and published on its website on the dark web, which for the past year has published vast troves of stolen internal documents and files from the companies it targeted, including Cognizant, cybersecurity insurance firm Chubb, pharmaceutical giant ExecuPharm, Tesla and SpaceX parts supplier Visser and defense contractor Kimchuk.

Where typical ransomware groups would infect a victim with file-encrypting malware and hold the files for a ransom, Maze gained notoriety for first exfiltrating a victim’s data and threatening to publish the stolen files unless the ransom was paid.

It quickly became the preferred tactic of ransomware groups, which set up websites — often on the dark web — to leak the files it stole if the victim refused to pay up.

Maze initially used exploit kits and spam campaigns to infect its victims, but later began using known security vulnerabilities to specifically target big-name companies. Maze was known to use vulnerable virtual private network (VPN) and remote desktop (RDP) servers to launch targeted attacks against its victim’s network.

Some of the demanded ransoms reached into the millions of dollars. Maze reportedly demanded $6 million from one Georgia-based wire and cable manufacturer, and $15 million from one unnamed organization after the group encrypted its network. But after COVID-19 was declared a pandemic in March, Maze — as well as other ransomware groups — promised to not target hospitals and medical facilities.

But security experts aren’t celebrating just yet. After all, ransomware gangs are still criminal enterprises, many of which are driven by profit.

“Obviously, Maze’s claims should be taken with a very, very small pinch of salt,” said Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft. “It’s certainly possible that the group feels they have made enough money to be able to close shop and sail off into the sunset. However, it’s also possible — and probably more likely — that they’ve decided to rebrand.”

Callow said the group’s apparent disbanding leaves open questions about the Maze group’s connections and involvement with other groups. “As Maze was an affiliate operation, their partners in crime are unlikely to retire and will instead simply align themselves with another group,” he said.

Maze denied that it was a “cartel” of ransomware groups in its statement, but experts disagree. Steve Ragan, a security researcher at Akamai, said Maze was known to post on its website data from other ransomware, like Ragnar Locker and the LockBit ransomware-for-hire.

“For them to pretend now that there was no team-up or cartel is just plain backwards. Clearly these groups were working together on many levels,” said Ragan.

“The downside to this, and the other significant element, is that nothing will change, Ransomware is still going to be out there,” said Ragan. “Criminals are still targeting open access, exposed RDP [remote desktop protocol] and VPN portals, and still sending malicious emails with malicious attachments in the hope of infecting unsuspecting victims on the internet,” he said.

Jeremy Kennelly at FireEye’s Mandiant threat intelligence unit said that while the Maze brand may be dead, its operators are likely not gone for good.

“We assess with high confidence that many of the individuals and groups that collaborated to enable the Maze ransomware service will likely continue to engage in similar operations — either working to support existing ransomware services or supporting novel operations in the future,” said Kennelly.

Maze, a notorious ransomware group, says it’s shutting down by Zack Whittaker originally published on TechCrunch

Cygilant, a threat detection cybersecurity company, has confirmed a ransomware attack.

Christina Lattuca, Cygilant’s chief financial officer, said in a statement that the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”

“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program,” the statement said.

Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks, according to Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft.

The file-encrypting malware itself not only scrambles a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

A site on the dark web associated with the NetWalker ransomware group posted screenshots of internal network files and directories believed to be associated with Cygilant.

Cygilant did not say if it paid the ransom. But at the time of writing, the dark web listing with Cygilant’s data had disappeared.

“Groups permanently delist companies when they’ve paid or, in some cases, temporarily delist them once they’ve agreed to come to the negotiating table,” said Callow. “NetWalker has temporarily delisted pending negotiations in at least one other case.”

Cyber threat startup Cygilant hit by ransomware by Zack Whittaker originally published on TechCrunch

Online shopping service Instacart says reused passwords are to blame for a recent spate of account breaches, which saw personal data belonging to hundreds of thousands of Instacart customers stolen and put up for sale on the dark web.

The company published a statement late on Thursday saying its investigation showed that Instacart “was not compromised or breached,” but pointed to credential stuffing, where hackers take lists of usernames and passwords stolen from other breached sites and brute-force their way into other accounts.

“In this instance, it appears that third-party bad actors were able to use usernames and passwords that were compromised in previous data breaches of other websites and apps to login to some Instacart accounts,” the statement reads.

The statement comes after BuzzFeed News reported that data on more than 270,000 user accounts was for sale on the dark web, including the account user’s name, address, the last four digits of their credit card, and their order histories from as recently as this week.

Instacart said that the stolen data represents a fraction of the “millions” of Instacart’s customers across the U.S. and Canada, a spokesperson told BuzzFeed News.

But who’s really to blame here: the customers for reusing passwords, or the company for not doing more to protect against password reuse?

Granted, it’s a bit of both. Any internet user should use a unique password on each website, and install a password manager to remember them for you wherever you go. That means if hackers make off with one of your passwords, they can’t break into all of your accounts. You should also enable two-factor authentication wherever possible to prevent hackers from breaking into your online accounts, even if they have your password. By sending a code to your phone — either by text message or an app — it adds a second layer of protection for your online accounts.

But Instacart cannot shift all the blame onto its users. Instacart still does not support two-factor authentication, which — if customers had enabled — would have prevented the account hacks to begin with. When we checked, there was no option to enable two-factor on an Instacart account, and no mention anywhere on Instacart’s site that it supports the security feature.

Data published by Google last year shows even the most basic two-factor can prevent the vast majority of automated credential stuffing attacks.

We asked the company if it plans to roll out two-factor to its users. When reached, Instacart spokesperson Lyndsey Grubbs would not comment on the record beyond pointing to Instacart’s already published statement.

Instacart claims security is a “top priority,” and that it has a “dedicated security team, as well as multiple layers of security measures, focused on protecting the integrity of all customer accounts and data.”

But without giving users basic security features like two-factor, Instacart users can barely protect their own accounts, let alone expect Instacart to do it for them.

Instacart blames reused passwords for account hacks, but customers are still without basic two-factor security by Zack Whittaker originally published on TechCrunch

It was a busy week in security.

Newly released documents shown exclusively to TechCrunch show that U.S. immigration authorities used a controversial cell phone snooping technology known as a “stingray” hundreds of times in the past three years. Also, if you haven’t updated your Android phone in a while, now would be a good time to check. That’s because a brand-new security vulnerability was found — and patched. The bug, if exploited, could let a malicious app trick a user into thinking they’re using a legitimate app that can be used to steal passwords.

Here’s more from the week.

---

THE BIG PICTURE

Every iPhone now has a working jailbreak

Decrypted: iOS 13.5 jailbreak, FBI slams Apple, VCs talk cybersecurity by Zack Whittaker originally published on TechCrunch

Newly released documents show U.S. immigration authorities have used a secretive cell phone snooping technology hundreds of times across the U.S. in the past three years.

The documents, obtained through a public records lawsuit by the American Civil Liberties Union and seen by TechCrunch, show that U.S. Immigration and Customs Enforcement (ICE) deployed cell site simulators — known as stingrays — at least 466 times between 2017 and 2019, which led to dozens of arrests and apprehensions. Previously obtained figures showed ICE used stingrays more than 1,885 times over a four-year period between 2013 and 2017.

The documents say that stingrays were not deployed for civil immigration investigations, like removals or deportations.

Although the numbers offer a rare insight into how often ICE uses this secretive and controversial technology, the documents don’t say how many Americans also had their phones inadvertently ensnared by these surveillance devices.

“We are all harmed by government practices that violate the Constitution and undermine civil liberties,” said Alexia Ramirez, a fellow with the ACLU’s Speech, Privacy, and Technology Project. “ICE’s use of cell site simulators affects all people, regardless of their immigration status.”

“When cell site simulators search for an individual, they necessarily also sweep in sensitive, private information about innocent bystanders,” said Ramirez. “This is part of the reason courts have said there are serious Fourth Amendment concerns with this technology.”

Stingrays impersonate cell towers and capture the calls, messages, location and in some cases data of every cell phone in their range. Developed by Harris Corp., stingrays are sold exclusively to law enforcement. But their purchase and use are covered under strict non-disclosure agreements that prevent police from discussing how the technology works. These agreements are notoriously prohibitive; prosecutors have dropped court cases rather than disclose details about the stingrays.

The newly released documents are heavily redacted and offer little more about what we know of how stingrays work. One document did, however, reveal for the first time the existence of Harris’ most recent stingray, Crossbow. An email from 2012 refers to Crossbow as the “latest, most technologically up-to-date version of a Stingray system.”

But the civil liberties group said its public records lawsuit is not over. Customs and Border Protection (CBP), which was also named in the suit, has not yet turned over any documents sought by the ACLU, despite spending $2.5 million on buying at least 33 stingrays, according to a 2016 congressional oversight report.

“We are deeply skeptical of CBP’s assertion that they do not possess records about cell site simulators,” said Ramirez. “Given public information, the agency’s claim just doesn’t pass the sniff test.”

CBP has until June 12 to respond to the ACLU’s latest motion.

When reached, a spokesperson for CBP was unable to comment by our deadline. ICE did not respond to a request for comment.

ICE used ‘stingray’ cell phone snooping tech hundreds of times since 2017 by Zack Whittaker originally published on TechCrunch