Millions of financial records leaked from server not protected by password

An ElasticSearch database misconfiguration exposed 51GB of sensitive financial data such as bank loans and mortgage documents. The server, which was not protected by a password, was discovered Jan. 10 by security researcher Bob Diachenko. He and TechCrunch traced the leak back to Ascension Data & Analytics.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history, and other details which are usually part of a mortgage or credit report,” he said. Diachenko then called the exposed data a “gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loads or credit cards.”

Although the database was shut down on Jan. 15, TechCrunch said, “It was clear that the documents pertain to loans and mortgages and other correspondence from several of the major financial and lending institutions dating as far back as 2008, if not longer, including CitiFinancial, a now-defunct lending finance arm of Citigroup, files from HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments, including the Department of Housing and Urban Development.”

Other cybersecurity news

1 million Mac users hit by steganography-based ad payload that dropped Shlayer trojan

A million Mac users have been impacted by an adware campaign that relies on ads and steganography to drop the Shlayer trojan. The bad ads — 191,970 of them — targeted only U.S. users and managed to impact about 1 million users.

The bad actor behind this malvertising campaign has been dubbed “VeryMal” by researchers. The attacker’s domain “has been active for months, but only recently are VeryMal starting to smuggle it using steganography.” At the peak of attack (Jan. 11), it was “triggered over 5 million times per day.” Benchmarks from the cost impact for just that day is estimated to have been more than $1.2 million.

Microsoft fights against fake news

Thanks to Microsoft’s attempt to fight fake news, Microsoft Edge Android or iOS users will now see a red or green rating for how accurate or accountable a news site is. That rating is handed out by NewsGuard and is based on nine criteria. Mobile Edge visitors to sites such as RT and Mail Online would see a warning which states: “This website generally fails to maintain basic standards of accuracy and accountability.”

Twitter CEO says biometric authentication may help combat bots

Twitter CEO Jack Dorsey said biometrics could help fight manipulation and increase trust on the platform. As reported by Duo Security, Dorsey claimed in an interview on the Bill Simmons Podcast, “If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they’re interacting with and ideally that adds some more credibility to the equation.”

Yet Dorsey added, “The fallback is the tricky bit. If one exists, then Touch ID/Face ID might be helpful in identifying that there is a human behind an account, but not necessarily the reverse.”

Researchers can predict what you’ll say on social media even if you aren’t on social media

Speaking of Twitter, researchers determined that what you say on social media can be predicted even if you don’t participate. Ars Technica explained, “This has some obvious implications for privacy. If a person leaves a social network, but their history remains (as is the case with Twitter, the one analyzed here), then it should be possible to reconstruct their social network and analyze it to get some understanding of the person who has tried to become more anonymous. In addition, if you can reconstruct a person’s offline relationships and find them on social media, then it’s possible you could learn something about a person who has never joined the service.”