📚 High-profile data breaches pile-up, Chromium leaking passwords through spellcheck- Newsletter #6

Oct 9, 2022

Last month was fruitful in Data Breaches and this time it went direct high-profile: Samsung lost personal data of an undetermined number of customers in U.S., LastPass admitted that an “unauthorized party” gained access to the Dev systems and Uber confirmed that it was responding to “a cybersecurity incident”.

The Uber incident was a specially interesting one, because according to the company:

An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

This means the attacker tried so many times to login with the 2FA, that the user eventually by mistake or sick of receiving notifications, pressed yes. This shows how important it is to have a good User Awareness program.

In line with the topic of data breaches, there’s this article from HBR that tries to reason why they don’t have much impact on stock returns. Despite the good argument, allow me to counter by saying that can indeed be the case, if the company is still able to continue working.

What I read last month

Cybersecurity incident at Samsung (Samsung)
LastPass was hacked, but it says no user data was compromised (Engadget)
Uber security update (Uber)
Google, Microsoft can get your passwords via web browser's spellcheck (Bleeping Computer)
Crypto Dev Enters Wrong Command, Destroys Entire Company (Medium)
The optimal amount of fraud is non-zero (Bits About Money)
Apple’s Killing the Password. Here’s Everything You Need to Know (Wired)
USA wants AI that can identity anonymous authors (The Register)
Dump these small-biz routers, says Cisco, because we won't patch their flawed VPN (The Register)

On Twitter

дэн @dan_abramov

does anyone seriously believe that employees at early stage startups don’t read users’ private information. like unless it’s end-to-end encrypted, obviously this is happening. why would i use your note taking app

I totally agree with this tweet: Companies often need to debug production systems for errors or performance reasons. When talking about small companies with limited resources, doing it in production is a common practice.

Alex Xu @alexxubyte

/1 How do Apple Pay and Google Pay handle sensitive card info? The diagram below shows the differences. Both approaches are very secure, but the implementations are different. To understand the difference, we break down the process into two flows.

Both approaches are secure but with different implementations. Apple Pay, unlike Google Pay, only sends the credit card number around once. Interesting thread, worth the read.