Recent Breach News

Over the past week, these stories have been published, and have piqued my interest. 

Popular cosmetics chain Lush has been attacked by hackers, with credit card information and personal consumer details used to make fraudulent purchases.  The hackers may have been stealing sensitive data for up to 4 months.  Lush has advised consumers to contact their banks if they believe their details had been used by the hackers.  On January 21st, a message on the Lush home page explained the situation, and the online store were shut down.  On Lush’s Facebook fan page, people complained about having to cancel their credit cards out of fear, and many claimed to have lost money.  The biggest complaint seems to be that Lush took so long in detecting the breach., creator of a popular mobile app that warns users about nearby speed traps, notified users this week that their passwords may have been exposed due to an attack, releasing few details about the incident.  In an e-mail, the company said it understood how the attack occurred and had already rewritten code to prevent it from happening in the future, but would not disclose what happened or when.  It is not clear whether the hackers successfully captured any e-mail addresses or passwords, and there is nothing to suggest the information has been used.  If you have used this service, and used the same password elsewhere, take precautions and change your online passwords.  Do it NOW.

Two men, both of whom work at Goatse Security, have been charged with computer crimes for hacking into AT&T servers and stealing e-mail addresses and other information of about 120,000 iPad users last summer.  Andrew Auernheimer, 25, was arrested in Fayetteville, Ark., while appearing in court on unrelated drug charges, and Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in Newark, N.J.  They each face one count of conspiracy to access a computer without authorization and one count of fraud in connection with personal information, and looking at a maximum of 10 years in prison and a $500,000 fine.

Auernheimer claims the intent of the breach was to point out lax security on the part of AT&T.  He also claims that Goatse has a reputation for fighting cyber crime.  A letter urges the dropping of the prosecution because continuing might damage his professional reputation.  “I pray for you to see wisdom in your actions, and pray for you to be guided towards righteousness. I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted and your teachers, for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”