Social media sites have been the subject of a flurry of data breach disclosures in recent weeks. (To understand why, read my colleague David Meyer’s here or below in the newsletter.)
Let’s recap. Last month the extent of a 2012 pillaging at LinkedIn became known: 167 million accounts compromised, rather than 6.5 million originally thought. This week we learned that Myspace had previously been ransacked to the tune of 427 million passwords. (Full disclosure: Time Inc., parent of Fortune, owns Myspace now.) Around the same time, security researchers determined that a 2013 breach at Yahoo-owned Tumblr, which the blogging service announced last month, let loose as many as 65 million stolen login credentials.
Given the damage, it’s easy to get caught up in the excitement. In fact, that seems to be what happened at several credit monitoring firms this week. LifeLock, among others, blasted out an alert to their customers warning of a data breach at Dropbox that affected 73 million username and password pairs, as independent cybersecurity blogger Brian Krebs reports. According to Dropbox though, the company does not believe it was the victim of a hack.
“An initial investigation into these reports has found no evidence of Dropbox accounts being impacted,” Patrick Heim, Dropbox’s security lead, told Krebs. “We’re continuing to look into this issue and will update our users if we find evidence that Dropbox accounts have been impacted.”
Krebs dug deeper and discovered that CSID, an identity monitoring firm that is in the midst of an acquisition by Experian, the credit monitoring giant, was responsible for the attribution. Apparently, researchers at CSID saw a Tweet about a data breach posted by a hacker with a reputation for breaking such news. They issued alerts without confirming whether the records in the dump contained any new information. Upon closer inspection by Flashpoint, a dark web intel firm, it appears the stolen records were merely recycled from the Tumblr dump.
The lesson? When the ghosts of breaches past return to haunt, try not to get spooked. Do the due diligence. Make sure claims check out. Further, dear readers, please consider downloading a password manager. And quit reusing passwords!
Enjoy the weekend; more news below.
Robert Hackett
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach me via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
THREATS
Congress questions Fed security. The U.S. House of Representative's committee on science, space and technology is investigating the Federal Reserve's cybersecurity practices. The congressional committee sent a letter Friday to Fed Chair Janet Yellen expressing "serious concern" after it learned that more than 50 security breaches affected the top bank between 2011 and 2015. (Fortune, Fortune)
Yahoo discloses national security letters. On Wednesday Yahoo became the first company ever to openly and legally acknowledge that it had received national security letters: secret warrantless subpoenas issued by the Federal Bureau of Investigation for national security purposes. The company said it received three of them—and you can thank the USA Freedom Act for that knowledge. (Yahoo)
Which firm will go public next? Cybersecurity firm Blue Coat, acquired by Bain Capital for $2.4 billion last year, filed for an initial public offering on Thursday. There have only been two other IPOs this year: SecureWorks, a cybersecurity firm that spun out of Dell, and Aacia Communications, a networking equipment maker. (Fortune)
Facebook Messenger considers encryption. The social media company has begun deliberating adding an end-to-end encrypted chat mode to its popular messaging app, sources told the Guardian. Google debuted its new chat app Allo with a similar "incognito" mode last month. Meanwhile, Facebook-owned WhatsApp rolled out encryption by default earlier this year.(Fortune, Guardian)
Lenovo: uninstall this program! The PC maker told people to remove the "accelerator application" software that comes preloaded on dozens of its machine models. The vulnerability, discovered by cybersecurity firm Duo Labs, allows hackers to takeover machines (Fortune)
FireEye outs Siemens system malware. The cybersecurity firm released details about a malicious software program designed to surreptitiously target industrial control systems. Siemens said the malware "is not viable against" its systems in the real world; rather the attack runs in a simulated environment. FireEye researchers said they know very little about the malware's creators. (Fortune)
By the way, don't write paper checks.
Share today's Data Sheet with a friend:
http://fortune.com/newsletter/datasheet/
Looking for previous Data Sheets? Click here.
ACCESS GRANTED
Fortune's David Meyer explains why years-old data breaches are suddenly turning up everywhere. (Hint: it has to do with a certain hacker.)
Something weird is happening in the world of hacked data—a lot of it is turning up around the same time.
The phenomenon has Troy Hunt, the proprietor of data-breach search service Have I Been Pwned?, scratching his head. His site lets people see if they have indeed been “pwned” (victimized, in Internet-speak) in major hacks of online services, and he’s having a very busy time right now.
The common link between the LinkedIn, Fling, Tumblr and Myspace breaches is that the data from them has all recently appeared on underground data markets, being offered up by the same individual, a hacker called “Peace.” Read the rest on Fortune.com.
FORTUNE RECON
Two Men in U.S. Plead Guilty to Hacking, Spamming Scheme by Reuters
Vista Equity Partners Is Acquiring Ping Identity by Robert Hackett
The U.S. Wants to Choke Off North Korea's Access to Global Banks by Reuters
ServiceNow Snaps Up Security Software Startup BrightPoint by Heather Clancy
Push to Alter Biometrics Law, Allegedly Backed by Google, Falls Short by Jeff John Roberts
Amazon and Goldman Sachs Invest $45 Million in Ionic Security by Robert Hackett
Hackers Took Over Katy Perry's Twitter Account by Robert Hackett
Media Companies Beware, the Ad-Blocking Tsunami Is Coming for You by Mathew Ingram
3 Reasons Bitcoin Is Booming Again by Jeff John Roberts
Microsoft Windows 10 Updates Raise Ruckus by Barb Darrow
Here Are Hillary Clinton's Private Email Server Misstatements by The Associated Press
Crucial U.S. Privacy Deal Won't Stand Up In Court, Says Top EU Adviser by David Meyer
ONE MORE THING
O great and glorious leader Zuck! Peter Sunde, cofounder of Pirate Bay, the infamous file-sharing site, recently described Facebook CEO Mark Zuckerberg as an autocrat. "Facebook is the biggest nation in the world and we have a dictator, if you look at it from a democracy standpoint," he said. "Mark Zuckerberg is a dictator. I did not elect him. He sets the rules." (Fortune)
