15 Billion Stolen Logins Are Circulating on the Dark Web

https://www.wired.com/story/dark-web-credentials-roger-stone-blueleaks


After China imposed a restrictive national security law on Hong Kong, tech companies find themselves at a crossroads. Giants like Google and Facebook stopped responding to requests for user data in the city, but may eventually have to pull out altogether.

One marquee name to exit Hong Kong already is TikTok, which remains eager to prove its distance from its China-based parent company. TikTok also found itself embroiled in a confusing episode on Friday, when an internal Amazon email indicated that the company was ordering employees to remove the app from their phones; hours later, Amazon stated that the email was sent in error. Hate it when the drafts go live, especially when they cause an international furor.

The world of Super Smash Bros. was also thrown into turmoil this week, as dozens of members of the community came forward with allegations of sexual misconduct. Elsewhere, Russian criminal gangs are getting into business email compromise—a fancy term for phishing scams—which can only end well. And hackers are actively exploiting a vulnerability in BIG-IP networking equipment, which will only end worse.

It wasn’t all bad news. Microsoft seized a bunch of domains tied to BEC activity. The robo-lawyer DoNotPay added a new service that not only unsubscribes you from marketing emails, but signs you up for any class action lawsuits against the company that was spamming you. We also walked through how to passcode-lock any app on your phone.

And there’s more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.

It’s no secret that hacker forums on the dark web are teeming with stolen credentials. But a recent audit from security firm Digital Shadows has put a number on just how large a problem that’s become. The data loss detection firm found 15 billion login pairs—user names and passwords—stemming from 100,000 breaches. Five billion of those were unique. The survey also details pricing, which varies widely based on how recent the breach is and what type of site it accesses. Financial services and banking passwords, unsurprisingly, command a much higher sum than file sharing or video game accounts. As always, WIRED recommends using a password manager to minimize the fallout when a company coughs up your sign-in info.

Facebook regularly takes down Pages associated with what it calls coordinated inauthentic behavior from countries like Russia and Iran. This week, though, it turned its attention stateside, taking down dozens of Pages and accounts associated with Donald Trump associate Roger Stone violating the platform’s rules. Stone’s personal Facebook and Instagram account were included the enforcement effort, along with a bunch of fake ones that promoted Stone’s positions across a variety of topics.

Motherboard reports this week that a company called SpyCloud, which sells access to data obtained by criminals in breaches, has marketed its services to law enforcement agencies. The practice would enable police or other government organizations to do an end-around of due process, by potentially collecting data from a huge number of civilians, whether they’ve been accused of a crime or not, without a warrant.

Late last month, the group DDoSecrets hosted a massive trove of hacked law enforcement data that had been passed to it by someone claiming an affiliation with Anonymous. This week, German authorities seized the web server that hosted the so-called BlueLeaks collection, at the behest of the US government. DDoSecrets remains undeterred, but the site that had hosted BlueLeaks remains down as of press time.


More Great WIRED Stories

via Wired Top Stories https://ift.tt/2uc60ci

July 11, 2020 at 08:06AM