Cyber Blurbs: Breach Exposes 150,000 Security Cameras

In this week’s Cyber Blurbs Roundup, we place a spotlight on some disappointing news coming out of T-Mobile, Tinder’s move toward user transparency, and a catastrophic failure for a startup security company out of Silicon Valley.

Let’s get started:

T-Mobile to Start Selling User Data

Listen up, T-Mobile customers — now’s the time to take back some of your privacy (if that kind of thing is important to you). The wireless network provider announced earlier this month that it will soon kick off a new program that will enable it to share customer usage data to advertisers unless they opt out. 

“[S]tarting April 26, 2021, T‑Mobile will begin a new program that uses some data we have about you, including information we learn from your web and device usage data (like the apps installed on your device) and interactions with our products and services for our own and 3rd party advertising, unless you tell us not to," T-Mobile said in a privacy notice.

The company also says the data will not be tied to a customer’s name or any other piece of information that may make them identifiable. 

And no, Verizon and AT&T customers, you can’t call this a win — your carriers also partake in the practice of selling your usage habits to advertisers. This may be a change of scenery for those who’ve spent time under the Sprint banner (which has been operating under T-Mobile since last spring), though, considering such a policy wasn’t in place for them prior to making the move. 

As noted above, T-Mobile customers have the opportunity to opt out, although ArsTechnica’s Jon Brodkin reports some users have been having a difficult time getting that done. 

Tinder to Offer Background Checks on Potential Dates

Traditional cyber snooping may be a thing of the past.

Tinder will soon offer its users the option to run a background check on potential dates. Announcing an investment in nonprofit company Garbo, Tinder parent company Match Group expects to allow its users to execute background checks with a full name or a first name and their potential date’s phone number.

Background checks will allow for users to receive information relating to a person’s arrest record and/or history of violence. Garbo says it collects” public records and reports of violence or abuse, including arrests, convictions, restraining orders, harassment, and other violent crimes,” (h/t The Verge.) Garbo’s website will also accept manually submitted information. Match says it won’t actively share user data with Garbo, with background checks only being initiated at a user’s request.

Garbo says its checks will not include traffic violations (sans DUIs) or drug possession charges, claiming the latter has no significant correlation with gender-based violence.

Background checks will not be free, although a price has not yet been announced. Tinder will be the first app to include the new feature, with fellow Match Group-owned brands — including OkCupid, Hinge, and Match — expected to follow if all goes well.

Security Camera Startup Suffers Major Hack

A security startup based out of Silicon Valley is under fire after suffering a critical security breach. Verkada, a security company that specializes in cloud-based security camera services, is said to have had more than 150,000 of its security cameras breached by a group of hackers. 

Cameras include locations in hospitals, jails, schools, police stations, and known businesses such as Tesla, Nissan, Equinox, and Cloudflare. Verkada’s own Silicon Valley offices were also hit. Some of the cameras included facial recognition technology. 

A result of hacktivist group APT-69420’s doing, group representative Tillie Kottmann says the breach was intended to shed light on the “nonexistent and irresponsible” security on Verkada’s cloud-connected system. Kottman says their group was able to infiltrate the security startup by using a Verkada admin’s credentials, which were apparently sitting on an unencrypted subdomain. 

That’s… not good. 

"We do scans for very broad vectors looking for vulnerabilities. This one was easy. We simply used their web app the way any user would, except we had the ability to switch to any user account we desired. We did not access any server. We simply logged into their web UI with a highly privileged user [account]," Kottmann said (via CBS News). 

Kottman says their group is not sponsored by any company or country. 

And that’s not the end of it: An anonymous Verkada employee told Bloomberg that the super admin access was available to hundreds of employees at the company. 

“We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” the source said to Bloomberg. 

Perhaps it’s time to consider a password manager.

 

RECENT POSTS