With No Permission, Facebook Slurped up ‘Hundreds of Millions’ of Email Contacts

Book Another Facebook Farce

This story only gets worse for Facebook: Two weeks ago, I told you about how Zuckerberg’s firm was demanding some users enter their email passwords. But now, further revelations make the situation look much, much worse.

It appears Facebook was actually copying those users’ entire contact lists—without permission. The company says it was “unintentional.” So that’s alright then.

How many more straws can fit on this camel’s back? In today’s SB Blogwatch, we’ve lost count of all the Facebook scandals.


Read more: securityboulevard.com/2019/04/with-no-permission-facebook-slurped-up-hundreds-of-millions-of-email-contacts

Wipro customers hacked, says Krebs. Nothing to see here, says Wipro.

Wipro PR go slow—oh no

IT outsourcing outfit Wipro is under fire this week. Sources say it got hacked months ago, and since then has been used as a jumping-off point to hack its customers. Possibly by a state actor.

If that weren’t bad enough, when Brian Krebs—the journalist who reported the hack—asked the Bengaluru firm about it, his questions were ignored. When Wipro PR finally made a buzzword-bingo statement, it was only sent to Indian media.

And then Wipro executives contradicted the statement. Said execs went on to publicly badmouth the reporter.

This is a terrible example of how to act on a breach report. In this week’s Security Blogwatch, we break out the popcorn.


Read more: techbeacon.com/security/wipro-customers-hacked-says-krebs-nothing-see-here-says-wipro

Microsoft Cloud Breach: Hackers Read Your Email for 90 Days

Face Meets Palm

Hackers have been able to read the email of Microsoft’s free cloud customers—no password required. Yes, you read that right.

Incredibly, the perps got away with it for almost three months, from early January to late March. It appears they stole a master “golden” support credential—presumably via social engineering.

But Microsoft “takes data protection very seriously.” So that’s OK then.

On the face of it, this is palm-worthy to the max. In today’s SB Blogwatch, we can’t believe what we read:


Read more: securityboulevard.com/2019/04/microsoft-cloud-breach-hackers-read-your-email-for-90-days

Trump Secret Service USB OpSec FAIL: ‘Spy’ Story Gets Weirder

Mar-a-Lackadaisical

That story about the Chinese woman accused of unauthorized entry to Trump’s Mar-a-Lago? It gained a weird new twist this week.

The Feds protecting the President supposedly found a USB stick and did the last thing you should ever do with an untrusted device—they stuck it into a PC. A Secret Service agent testified the PC then behaved in a “very out-of-the-ordinary” way. It’s still unclear what Yujing Zhang was attempting to do at President Trump’s private club in Florida.

On the face of it, this is really appalling operational security. But in today’s SB Blogwatch, we dig a little deeper.


Read more: securityboulevard.com/2019/04/trump-secret-service-usb-opsec-fail-spy-story-gets-weirder

Fintech fiddles as home burns: 97% of apps lack basic security

Nero ignores conflagration

This is not fine. A white-hat researcher examined 30 financial apps, looking for information security issues—worryingly, all but one of them were insecure.

The failures were mind-numbingly familiar, and dead easy to find. It’s as if the industry has learned nothing and is walking around with a sign on its back, saying, “Rob me.”

Have we learned nothing? In this week’s Security Blogwatch, we’re full of despair.


Read more: techbeacon.com/security/fintech-fiddles-home-burns-97-apps-found-insecure