2012's Worst Security Exploits, Fails and Blunders
Stolen social security numbers. Erased online identities. Pilfered payment information. Yep, 2012 was a banner year for the bad guys.
Fri, December 28, 2012
Dropbox drops its guard
Back in July, some Dropbox users began noticing that they were receiving a large amount of spam in their inboxes. After some initial denials followed by some deeper digging, Dropbox found that hackers had compromised an employee's account and gained access to a document containing user email addresses. Oops! The damage was minor, but the egg in the face was major.
At the same time, a very small number of users had their Dropbox accounts actively broken into by outside sources. Investigations revealed that the hackers gained access to the accounts because the victims were reusing the same username/password combination across several websites. When the login credentials were leaked in a breach at another service, the hackers had all they needed to unlock the Dropbox accounts.
Dropbox's woes highlight--again--the need to use separate passwords for different services, as well as the fact that you can't trust the cloud completely yet. You can take cloud security into your own hands with the help of a third-party encryption tool.
Millions of South Carolina SSNs pilfered
Speaking of encryption, it would be nice if the government followed basic security principals.
After a massive October data breach resulted in a hacker obtaining the social security numbers of a whopping 3.6 million South Carolina citizens--in a state with just 4.6 million residents!-- state officials tried placing the blame at the feet of the IRS . The IRS doesn't specifically require states to encrypt the SSNs in tax filings, you see. So South Carolina didn't--though it plans to start now, hindsight being 20/20 and all.
On the kinda positive side, debit and credit card details of 387,000 South Carolina citizens were also swiped in the digital heist and most of the those were encrypted, though that's likely little solace for the 16,000 people whose card details were stolen in plain-text form.
Skype's massive security flaw
In November, Skype users temporarily lost the ability to request a password reset for their account after researchers identified an exploit that allowed anybody to gain access to a Skype account as long as the person knew the email address associated with the account. Not the account password, not the security questions--just the simple email address alone.
Skype quickly plugged the hole when it caught the public eye, but the damage had already been done. The vulnerability was floating around on Russian forums and actively being used in the wild before it was shut down.
Hackers steal 1.5 million credit card numbers