The Associated Press Twitter account was hacked moments ago. The Syrian Electronic Army, which has been on a spree of media hacks and claimed responsibility for this attack, sent out a tweet claiming that the White House had been bombed through the AP’s Twitter account. This is not the case.

“The AP Twitter account has been hacked. That tweet you saw about the White House is untrue and we’re looking into it now,” AP director of media relations Paul Colford told VentureBeat in a call.

It looks like the Syrian Electronic Army, the same hackers who hacked into CBS and NPR in the past month, has it out for American publications. The group tweeted a picture of the bogus tweet sent out on the AP’s official account. It reads:

“Breaking: Two Explosions in the White House and Barack Obama is injured.”

SEA then tweeted, “Ops! @AP get owned by Syrian Electronic Army! #SEA #Syria #ByeByeObama”

The group of hackers often attacks publications based on their coverage of the situation in Syria. The official AP twitter account is currently suspended.

It seems the Dow Jones stock exchange reacted fairly quickly to the hack as well. A chart tweeted by Owen Callan, a fixed income dealer, shows that the market fell about 1 percent for 1 to 2 minutes following the bogus tweet. You can see a similar chart in the image above.

The Syrian Electronic Army hacked into Al Jazeera’s live blog of the conflict in Syria last year, defacing the website with pro-Bashar regime imagery.

Dow Jones chart via Yahoo Finance

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

Zendesk manages backoffice features like customer support and help desk operations via a cloud service it delivers to hundreds of clients serving over 65 million people, the company says on its website. Only Twitter, Pinterest, and Tumblr clients were affected, the company says, but those sites comprise literally hundreds of millions of users.

Since most end users never touch Zendesk directly, most users’ first awareness that there might be a problem with their personal informtion will come via an email from one of the affected services. I received an email from Tumblr this evening at 11:05PM PST, saying that my information may have been exposed.

Assuming Zendesk knows exactly how deep the penetration went, there is probably not a lot to worry about. The attackers gained access to email addresses and the subject lines of support emails, but there’s no indication they accessed any passwords or other data.

In other words: don’t panic.

Here’s the email that Tumblr sent out to affected users:

Important information regarding your security and privacy

For the last 2.5 years, we’ve used a popular service called Zendesk to store, organize, and answer emails to Tumblr Support. We’ve learned that a security breach at Zendesk has affected Tumblr and two other companies. We are sending this notification to all email addresses that we believe may have been affected by this breach.

This has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:

• The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.
• Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed. We recommend you review any correspondence you’ve addressed tosupport@tumblr.com, abuse@tumblr.com, dmca@tumblr.com,legal@tumblr.com, enquiries@tumblr.com, orlawenforcement@tumblr.com.
• Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.

Your safety is our highest priority. We’re working with law enforcement and Zendesk to better understand this attack. Please monitor your email and Tumblr accounts for suspicious behavior, and notify us immediately if you have any concerns.

This is an breaking story, check for updates on Friday.

photo credit: alles-schlumpf via photopin cc

Why now?

Jeep’s Twitter account recently told the world that the iconic brand had been “sold to Cadillac.” And Burger King’s account started mysteriously promoting McDonalds. Two high-profile hacks in less than a week means, apparently, that Twitter had to take some action.

The hacks were due to phishing attacks, or sending out emails that look legitimate but, sadly, are not.

“There’s no shortage of bad actors sending emails that appear to come from a Twitter.com address in order to trick you into giving away key details about your Twitter account, or other personal information,” Twitter’s “postmaster” Josh Aberant posted this morning on the company’s blog.

Twitter sends out a lot of emails. If you opt into email notifications for new follows, mentions, and direct messages (little hint: don’t), you potentially get hundreds of emails a week. The problem is: how do you know the email in your inbox is from Twitter?

To make that determination easier, Twitter has adopted DMARC technology, an email authentication protocol initially developed by PayPal in 2007. Essentially, it helps receiving mailservers know, with a reasonable level of assurance, that an email’s reported sender is accurate, not spoofed, and not forged. Which then allows the mailserver to delete forged email before it ever reaches your inbox.

Facebook already uses DMARC and is listed as one of the founding contributors to the open specification, as is LinkedIn. Other organizations that use DMARC include Google (Gmail), Microsoft (Hotmail/Outlook), Yahoo (Yahoo Mail), AOL, and Comcast.

A note for emailers:

If you don’t use Gmail or one of the other email providers listed above, you may not be protected. It might be a good time to ask your mail service provider if they support DMARC.

photo credit: Stian Eikeland via photopin cc

Facebook announced that it was hacked in a blog post today after some of its employees visited an infected mobile developer website in January. The company says it has found no evidence that the breach affected user data.

“They gained limited visibility into our systems,” Fred Wolens, a spokesperson for Facebook, told VentureBeat in an interview, “We’ve accelerated our program to disable Java in our environment.”

The company explained in the blog post that the laptops that were infected were “fully patched” and ran the most up-to-date antivirus software prior to the infection. It is currently working with law enforcement to dig into the hack’s details. The malware came through another issue with Java, the programming language that Oracle recently patched to fix a number of other issues. The Department of Homeland Security even recommended that people uninstall Java since hackers were finding new holes often.

“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day,’ previously unseen exploit to bypass the Java sandbox (built-in protections) to install the malware,” said Facebook in the blog post. “We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

Facebook has not specified who the attackers are, and it very well may not know. The company does, however, say that it was “not alone in this attack” and that it wanted to tell the world about this hack quickly so that others can start their own remediation.

hat tip AllThingsD; Thumbs down image via Shutterstock

Jambox wireless speaker creator Jawbone is singing the blues today. It alerted users early this morning to a hack on its MyTalk network that left the actual names (not to be confused with usernames), email addresses, and encrypted passwords compromised.

The MyTalk network is where people can update their software, find and download apps for Jawbone’s device, and customize their device’s voice and language settings. Those products include Jawbone’s Jambox speakers and headsets. One customer, Dave Zatz, posted the message he received from Jawbone on Twitter. It reads, in part: ”Based on our investigation to date, we do not believe there has been any unauthorized use of login information or unauthorized access to information in your account.”

It continues to say that the password has been “disabled” and you can reset the password by visiting the user reset page and completing emailed instructions.

Of course, if you use that password on any other websites, you should change it immediately. One of the first things a cyber-criminal will do with your password is try it on other websites. And though Jawbone says that because your password was taken was encrypted and none of “the actual letters and numbers in your password” were revealed, hackers have ways to decrypt information.

As The Verge notes, however, it doesn’t seem this hack affected all Jawbone customers. According to a statement provided to the Verge, Jawbone says that the attack was “identified within hours” and subsequently blocked.

Jambox image via Jawbone

As CNet reports, an unidentified hacker found and absconded with an unencrypted backup of virtual wallet keys, taking 24,000 Bitcoins, each worth just over ten U.S. dollars. It’s the virtual equivalent of leaving your wallet on the cafe table as you go to use the restroom.

In a blog post, BitFloor founder Roman Shtylman said that BitFloor, the exchange for Bitcoins, would be paused while he evaluates options. He said he still had logs for all the accounts, trades and transfers for every user, but the theft took the vast majority of the coins BitFloor has on hand at any time, which are generated by commissions on Bitcoin trades.

Shtylman wants to continue to operate BitFloor, but that is currently in doubt. And shuttering the exchange, while a last resort, is a very real option:

As a last resort, I will be forced to fully shut BitFloor down and initiate account repayment using current available funds. I still have all of the logs for accounts, trades, transfers. I know exactly how much each user currently has in their account for both USD and BTC. No records were lost in this attack.

There are multiple Bitcoin exchanges, and BitFloor is only the fourth-largest, globally. So if BitFloor is forced to shutter operations, it does not mean the end of the line for Bitcoin as a currency. In addition, there is no centralized authority for Bitcoins — the system is inherently resistant to a single point of failure.

On the other hand, other Bitcoin exchanges have gone bankrupt, some have been hacked, and there are trojans and viruses in the wild that can steal Bitcoin digital wallets.

It’s not something that engenders trust in something as fundamental as money.

photo credit: zcopley via photo pin cc

Less than 48 hours after Reuters’ blogging platform got hacked, the news wire service once again confirms being compromised — this time via Twitter.

The first attack came Friday after Syrian hackers loyal to President Bashar al-Assad allegedly gained access to Reuters’ blogging platform, which they used to post a fake interview with rebel Free Syrian Army (FSA) leader Riad al-Assad, as VentureBeat previously reported. The interview essentially said the general was withdrawing troops after a battle.

Presumably, the same hackers are responsible for also compromising a Reuters Twitter account dedicated to technology news, which has about 17,500 followers. The hackers proceeded to change the Twitter account handle from “@ReutersTech” to “@ReutersME” Saturday, and shifted the focus of tweets to the Middle East.

The tweets themselves were mostly pro-Syrian government messages, as well as some inflammatory statements targeted at the U.S. government. For example, one tweet stated: “Obama signs executive order banning any further investigation of 9/11,” and other indicated that FSA high-ranking officer Gen. Mustafa Al-Sheikh had died after a recent clash. The current White House administration isn’t a fan of the Syrian government, which made it more difficult for Syria (and other oppressive governments) to track dissidents on social networks back in April.

Reuters confirmed the account was compromised in a tweet this morning. The account is currently banned and awaiting review by Twitter, according to Reuters.

Reuters is hardly the only news organization that’s dealt with hacking or some form of malicious activity to compromise their credibility. This weekend also saw a hacker gain access to Wired reporter (formerly of Gizmodo) Mat Honan’s iCloud account, which led to Gizmodo’s Twitter account being compromised, as well as his own. Last week, New York Time lead tech reporter Nick Bilton was fooled into retweeting a fake op-ed column perpetrated by Wikileaks. And while Bilton’s account wasn’t hacked, the result is the same: hackers used his credibility to promote its own message.

While having (any) of your web accounts compromised is a truly awful experience, having your credibility ruined is far worse — especially if the hacked account represent a news organization.

Via TheNextWeb; Image via Voice of Grey Hat

Former Gizmodo staffer Mat Honan’s iCloud account was compromised over the weekend, which led to both his Twitter account and Gizmodo’s official Twitter account getting hacked.

Honan’s iCloud account gave the hacker access to the Find My Phone feature, thus allowing them to remotely wipe all the data on his iPhone, iPad, and worst of all, his Mac. Honan’s Gmail account was also deleted in the process, and he’s been locked out of other services, including his phone, which he linked with Google Voice through Sprint.

Initially, Honan thought the hacker broke into his account using brute force, despite a seven character alpha-numeric password that he felt was pretty secure. Apparently, this wasn’t the case.

“I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions,” Honan wrote via his Tumblr page. “Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.”

Two-factor authentication, which requires confirmation via both an email message and usually a text message, would have probably prevented the hacker from deleting Honan’s Gmail account and kept people off the Twitter accounts, he said. Unfortunately, Honan didn’t have the two-factor authentication turned on. So, if there’s a moral to this story, it’s that you should go enable two-factor authentication whenever possible. (Do it now!)

This still doesn’t fix the problem of fooling the Apple Care technician over the phone. The computer giant needs to step up its security for verifying user accounts if it plans on seriously taking on the likes of Google, Yahoo, and Microsoft with its iCloud service — not to mention the growing number of cloud-based storage services like Dropbox and Box.net.

Hacked password image via Raywoo/Shutterstock

Reuters blogging platform hacked, false Syria blog posted reut.rs/OOcntJ

—
Reuters Top News (@Reuters) August 03, 2012

Reuters tweeted about the issue immediately and has released a statement explaining the problem and retracting the “illegally posted” interview. Another bogus post apparently claimed that rebels had acquired chemical weapons.

The news agency’s blogging platform is still down now, hours after the attack, as Reuters combs through looking for any other fake posts — and, presumably, any backdoors or unauthorized users. There is no word on what kind of blogging platform Reuters used, or whether the attacker used a zero-day exploit.

Apparently the cause of the hacking in this case was political, which can of course be extremely damaging if undetected.

I can just see the dollar signs in hackers’ eyes now, however, as this may have opened eyes about the possibilities of planting fake news for economic gain.

This incident was quickly found out, but with the speed stories propagate on the internet, a few stories such as Microsoft sanctioned by EU; $10 billion fine or Samsung acquired by Apple; Lawsuits all over could lead to some serious stock manipulation.

Image credit: Jmiks/ShutterStock

Professional social network LinkedIn wants you to know that its taking the recent password security breach to heart — despite lacking greater measures to prevent such hacks and a chief information security officer charged with keeping track of privacy flaws.

The company is taking a lot of heat after hackers divulged 6.5 million user passwords and uploaded them to a Russian forum for help encrypting them. The security breach is due to an exploit with the way LinkedIn’s mobile app handles a user’s calendar data, as VentureBeat previously reported. LinkedIn later confirmed the breech, and advised its users on what steps to take to ensure their information was secure.

In a blog post reaffirming its commitment to security yesterday, LinkedIn claimed that it has no evidence of any accounts being compromised as a result of the security breach.

Despite this, LinkedIn members aren’t ready to forgive and forget. Some users are complaining that LinkedIn didn’t act quickly enough in contacting them about the password leak, while security experts are pointing out that the company could have added an extra layer of password security known as “salting.” There’s also the matter of the social network not having a executive-level officer to manage security and privacy.

In the blog post, LinkedIn Director of Engineering Vicente Silveira wrote:

“We take this criminal activity very seriously so we are working closely with the FBI as they aggressively pursue the perpetrators of this crime. As you may have heard, there have been reports of other websites that have suffered similar thefts. We want to be as transparent as possible while at the same time preserving the security of our members without jeopardizing the ongoing investigation.”

As far as leaked user data is concerned, probably the worst candidate this could happen to is LinkedIn — which contains plenty of personal contact information and linked relationships between business associates across the globe. That could have the potential to wreck business deals and end professional careers. It’s good that the company is being proactive with messages on its blog, but it’ll have to do better than that if it wants to regain the trust of its users.

The problem is: LinkedIn isn’t telling you whether your password is at risk. The site’s news feature, LinkedIn Today, has the story (almost certainly as a result of an automated trending new algorithm), but the site itself has no warnings or means of checking.

That’s a little disappointing — not only because LinkedIn could be doing more to help its users — but also because many users (alas, I am among them) use the same password on multiple sites.

It’s stupid, it’s wrong, and it’s insecure, but we’re human. And, as VentureBeat’s own Sean Ludwig recently posted, when it comes to passwords we are all idiots.

So here’s how to check if your LinkedIn password was among the hacked accounts that are already being used to generate phishing attacks. Go to LastPass.com/linkedin:

Enter your password, and the website will tell you whether or not your password is now out in the wild. The obvious question: is it safe to give LastPass your password?

Here’s what the company says about their tool:

Only the hash of your password will be sent to LastPass.com’s servers, not your actual password. This hash will not be stored or logged at all. Please view source the page if you’re technically inclined. 

LastPass is an privately held company based in Fairfax, Virginia. Launched in 2008 by current CEO Joe Siegrist, it generally has a good reputation, and its software has been reviewed by CNet and others.

One caveat: because the search will look through all the passwords in the file, if you have a very common word or password, it will come up as compromised. For example, here’s what LastPass shows when the all-too-common password “password” is entered:

This does not mean your account is compromised, necessarily. It does mean your password is too common and should be changed. Ultimately, of course, we should all be smarter about passwords and use a tool like LastPass or 1Password to make sure we have complex and unique passwords for every single service and site we use.

Image credit: ShutterStock

Design is determining the winners in everything mobile. The most successful players are focusing on one thing: How to make products, services, and devices as compelling and delightful as possible – visually, and experientially. MobileBeat 2012, July 10-11 in San Francisco , is assembling the most elite minds to debate how UI/UX is transforming every aspect of the mobile economy, and where the opportunities lie. Register here.

The server in question contains information on the free Square Enix Members service offered in North America and Japan. Square Enix suspended operation of the service on Monday, Dec. 12 after learning of the hacking attempt.

After conducting an investigation into the intrusion, Square says no user login credentials were accessed. “Moreover, we have not found evidence that the individual was able to access any personal information at all,” the company said in a note on the Square Enix Members website.

Square has notified the Japanese government of the attempt and says an email will be sent out to all service members advising them that the incident took place.

The Square Enix Members service will be down for a few more days while the company conducts a broader internal investigation.

This is the second time this year Square Enix has fallen victim to a hacking attempt. Back in May, EidosMontreal.com and other Square Enix-owned websites were allegedly broken in to and around 350 job resumes and 250,000 email addresses were illegally obtained.

VentureBeat has attempted to contact Square Enix to confirm the number of Members users affected and to get an exact ETA on when the service will be restored.

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

This week, my Xbox Live account was hacked. This is the story of what happened, my response to it, and the questions about security that it has raised.

The hijack

At twelve minutes past midnight on Tuesday night, just as I was finishing up some work, I received an email to say that I had purchased 6,000 Microsoft Points. My first thought was to laugh it off as spam, as I hadn’t bought any points for months, but I thought I should check my console anyway. On switching on my Xbox, I found that I could no longer access my account.

A quick Google search revealed that other Xbox users had been experiencing similar problems, and I realized that my account had been compromised. I tried to contact Xbox Live support, but its helpline was unhelpfully shut for the night.

Trying to think clearly, despite my somewhat bleary late-night state of mind, I logged into my Microsoft account on my PC, and changed the password. I then went through the process of recovering my Xbox Live account on my console dashboard, which involved entering my Windows Live ID and the new password. On seeing my account again, I was relieved, but also surprised to note that it had been used to play FIFA 12, the popular Electronic Arts soccer game.

The loot

My next move was to contact my credit card provider. The customer service adviser at the bank revealed that there had indeed been a transaction to Xbox Live that night, for £51 (about $80), and they immediately cancelled my card. I was told to phone again once the transaction went through, as it would then be reversed, and dealt with as fraud. Thankfully I use a decent bank and the issue was dealt with quickly and efficiently from that end. I am not sure that every victim of such an attack will be so lucky with their card issuer.

The response

The next morning, I successfully contacted Xbox Live support, explaining in detail what had happened. The adviser confirmed that my account had been used to purchase 6000 Microsoft Points, and intimated that these points had been spent on FIFA 12 Ultimate Team packs. To add insult to injury, it seemed that the hacker had also used up my own, admittedly rather paltry, supply of MS Points during their spending spree.

Confirmation of these Ultimate Team card purchases was found when I checked my console, to find these three new achievements staring back at me:

New Club in Town – 5G – Create your FIFA 12 Ultimate Team club
I’ll Have That One – 10G – Open your first pack in FIFA 12 Ultimate Team
How Great is That? – 20G – Find a team of the week player in an Ultimate Team pack

Quite a kick in the teeth, but hey, at least someone got some pleasure out of those 35G.

The Ultimate Team packs of football cards that were purchased, containing various players that can be used in the game,  are apparently transferable between Xbox Live accounts. This allows a hacker to buy them with a hijacked account and then send them to their own account, for their own purposes. Scouring the internet, it appears that the rarer cards are being traded for cash, through  forums and online auction sites, with some fetching as much as $280 .

I was told by Microsoft Customer Support that my account would be suspended, pending an investigation, which could take between 21 and 30 days to complete. My existing points would apparently be restored once the investigation was complete, and the £51 that had been fraudulently spent would also be refunded (I said this was not necessary, due to the actions being taken by my bank). In the meantime, I would be unable to access my Xbox Live account, and would only be able to play my console offline.

A widespread problem?

Such hacking of Xbox Live accounts, particularly for the purchase of FIFA items, has been widely reported in the past few weeks, both in the specialist and mainstream press. There have also been multiple occurrences of such hacking reported on a variety of websites, including the official Xbox forum and Twitter.

Questions have been asked of Microsoft, as to whether its security is up to scratch, and the response has been that this is not a wider security breach, but rather individual cases of malicious activity.

I approached Microsoft with some questions on this hacking issue, and a spokesman responded with the following statement:

“It is important for us to reconfirm that the Xbox Live service has not been hacked. Some of our customers have been the victims of internet fraud on their accounts. This is a frequent issue that all internet and e-commerce sites and services experience every day. These threats include phishing, brute force attacks, malware, third-party security breaches and in-game scamming / social engineering.

Customers who use the same identity and log-in details across multiple online sites and services are more vulnerable against these everyday internet threats. As ever, we advise customers to be vigilant, and provide further advice on account security across Xbox 360, internet websites and email at www.xbox.com/security.

Of the tens of millions of Xbox Live customers (there are 35 million active members) using the service daily, these issues are affecting a very small percentage of users globally.

Security in the technology industry is an ever-evolving challenge. With each new form of technology designed to deter attacks, the attackers try to find new ways to subvert it. Over time, account security features have been added to help protect our customers’ accounts, and we will continue to add features and processes.

As always, Xbox Live customers who have any queries or concerns should contact Xbox Live Customer Service on 0800 587 1102 [in the UK] or visit www.xbox.com/security.”

So, according to Microsoft, this issue is only affecting a small percentage of global users, but that does not stop it being an issue that raises some pretty big questions, and it is deserving of further investigation.

How is this happening?

The Microsoft statement suggests that these breaches are caused by account details being obtained, via a variety of malicious methods. The nature of Xbox Live is such that an account can be ‘recovered’ on a second console, as long as you have access to the Windows Live ID and password of that user. That results in the account being locked on the original console, as I experienced. With card details being stored on the Microsoft servers, anyone hijacking an account in this way is then able to make purchases on Xbox Live, using the payment card linked to that account.

Why me?

While I cannot dispute that I may have been hacked through some third-party breach, I  would be surprised if that was actually the case. I am pretty careful with my passwords, having four or five that I tend to use for different websites, which I regularly change. I have never responded to a fake ‘phishing’ email and I keep my PC clean, using anti-virus and anti-spyware software.

Looking at other reports of Xbox Live hacking, it is clear that I am not the only one asking this question – a question that remains unanswered.

Pages: 1 2