Starting in Firefox 70, Mozilla aims to have the browser report when any of your saved logins were found in data breaches. This will be done through their partnership with the Have I Been Pwned data breach site. From a report: Mozilla is slowly integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into Firefox. Mozilla is also considering premium services based around these features in the future. As part of this integration, Firefox will scan the saved login names and passwords and see if they were exposed in a data breach listed on Have I been Pwned. If one is found, Firefox will alert the user and prompt them to change their password. This new feature will only work, though, for data breaches that exposed passwords and when the password was saved prior to an associated data breach.

Freshly Exhumed shares a report from The Georgia Straight: The Quebec-based Desjardins Group has admitted to being victimized by one of the largest data breaches in Canadian history. Laval police informed the financial-services giant that personal information of more than 2.9 million members has been shared with people outside of the organization. This includes 2.7 million people and 173,000 businesses. "This situation is the outcome of unauthorized and illegal use of our internal data by an employee who has since been fired," Desjardins said in a statement. "In light of these events, and given the circumstances, additional security measures were put in place on all accounts." Desjardins, which is the largest federation of credit unions in North America, will be informing people by letters if they've been affected. The leaked data included first and last names, birthdates, social insurance numbers, addresses, phone numbers, email addresses, and details about banking habits. However, passwords, security questions, and PINs were not disclosed.

An anonymous reader quotes a report from Motherboard: The Oregon Department of Corrections has banned prisoners from reading a number of books related to technology and programming, citing concerns about security. According to public records obtained by the Salem Reporter, the Oregon Department of Corrections has banned dozens of books related to programming and technology as they come through the mail room, ensuring that they don't get to the hands of prisoners. At least in official department code, there is no blanket ban on technology-related books. Instead, each book is individually evaluated to assess potential threats. Many programming-related books are cited as "material that threatens," often including the subject matter ("computer programming") as justification. The Oregon Department of Corrections (DOC) worries that prisoners could use the tools mentioned in some of the programming-related books to compromise their systems. But what's odd is the scope of the ban. Justin Seitz's Black Hat Python book failed the prison's security test since it's geared towards hacking, but so did the book Windows 10 for Dummies, Microsoft Excel 16 for Dummies which simply teaches proficiency in Excel and Windows 10.

Officials at the DOC argue that knowledge of even these basic programs can pose a threat to prisons. "Not only do we have to think about classic prison escape and riot efforts like digging holes, jumping fences and starting fires, modernity requires that we also protect our prisons and the public against data system breaches and malware," DOC spokesperson Jennifer Black said in an emailed statement. "It is a balancing act we are actively trying to achieve."

An anonymous reader quotes a report from ZDNet: A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 U.S. patients. The database contained information on 391,649 prescriptions for a drug named Vascepa; used for lowering triglycerides (fats) in adults that are on a low-fat and low-cholesterol diet. Additionally, the database also contained the collective information of over 78,000 patients who were prescribed Vascepa in the past. Leaked information included patient data such as full names, addresses, cell phone numbers, and email addresses, but also prescription info such as prescribing doctor, pharmacy information, NPI number (National Provider Identifier), NABP E-Profile Number (National Association of Boards of Pharmacy), and more. According to vpnMentor, the company that left the database open may have violated HIPAA, and may be in line for a hefty fine for failing to encrypt the patient data it had stored on the database server, a HIPAA golden rule," the report adds. "However, Dissent, the administrator of DataBreaches.net, a website dedicated to tracking data breaches and HIPAA violations, told ZDNet that just because a system stores medical information, it doesn't mean it's necessarily covered by HIPAA. Until the database owner is found, no other conclusions can be drawn."

Federal workers and the public in general might be mistaken about the security of .zip files, Sen. Ron Wyden said on Wednesday [PDF], and he's asking the National Institute of Standards and Technology to issue guidance on the best way to send sensitive files over the internet. Wyden wrote: Government agencies routinely share and receive sensitive data through insecure methods -- such as emailing .zip files -- because employees are not provided the tools and training to do so safely. As you know, it is a routine practice in the government, and indeed the private sector, to send by email-protected .zip files containing sensitive documents. Many people incorrectly believe that password-protected .zip files can protect sensitive data.

Indeed, many password-protected .zip files can be easily broken with off-the-shelf hacking tools. This is because many of the software programs that create .zip files use a weak encryption algorithm by default. While secure methods to protect and share data exist and are freely available, many people do not know which software they should use. Given the ongoing threat of cyber attacks by foreign state actors and high-profile data breaches, this is a potentially catastrophic national security problem that needs to be fixed. The government must ensure that federal workers have the tools and training they need to safetly share sensitive data. To address this problem, I ask that NIST create and publish an easy-to-understand guide describing the best way for individuals and organizations to securely share sensitive data over the internet.

After Apple announced a single sign-on tool last week, The Verge interviewed Google product management director Mark Risher. Though Google offers its own single sign-on tool, The Verge found him "surprisingly sunny about having a new button to compete with. While the login buttons are relatively simple, they're much more resistant to common attacks like phishing, making them much stronger than the average password -- provided you trust the network offering them." RISHER: I honestly do think this technology will be better for the internet and will make people much, much safer. Even if they're clicking our competitor's button when they're logging into sites, that's still way better than typing in a bespoke username and password, or more commonly, a recycled username and password...

Usually with passwords they recommend the capital letters and symbols and all of that, which the majority of the planet believes is the best thing that they should do to improve their security. But it actually has no bearing on phishing, no bearing on password breaches, no bearing on password reuse. We think that it's much more important to reduce the total number of passwords out there...

People often push back against the federated model, saying we're putting all our eggs into one basket. It sort of rolls off the tongue, but I think it's the wrong metaphor. A better metaphor might be a bank. There are two ways to store your hundred dollars: you could spread it around the house, putting one dollar in each drawer, and some under your mattress and all of that. Or you could put it in a bank, which is one basket, but it's a basket that is protected by 12-inch thick steel doors. That seems like the better option!

New age restrictions on pornography that are set to come into effect in the UK next month are a "privacy timebomb," a new report by privacy watchdog Open Rights Group has warned. They say that the data protection in place to protect consumers is "vague, imprecise and largely a 'tick box' exercise." The Independent reports: The identity checks needed to stop under-18s from visiting pornographic websites will force any commercial provider of online pornography to carry out "robust" checks on their users to ensure they are adults. The age verification measures will be introduced on 15 July but a recent YouGov poll showed that 76 per cent of the British public is unaware of the ID checks being introduced. "With one month until rollout, the UK porn block is a privacy timebomb," the report stated.

Estimates suggest around 20 million adults in the UK watch porn, meaning the scale of any privacy breaches could be vast. "Due to the sensitive nature of age verification data, there needs to be a higher standard of protection than the baseline which is offered by data protection legislation," said Open Rights Group executive director Jim Killock. "The BBFC's standard is supposed to deliver this. However, it is a voluntary standard, which offers little information about the level of data protection being offered and provides no means of redress if companies fail to live up to it." Mr Killock said the standard was therefore "pointless and misleading."

Troy Hunt, the owner and founder of the well-known and respected data breach notification website "Have I Been Pwned," announced today that he's actively looking for a buyer.

"To date, every line of code, every configuration and every breached record has been handled by me alone. There is no 'HIBP team,' there's one guy keeping the whole thing afloat," Hunt wrote. "It's time for HIBP to grow up. It's time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that's able to do way more than what I ever could on my own." Motherboard reports: Over the years, Have I Been Pwned has become the repository for data breaches on the internet, a place where users can search for their email address and see whether they have been part of a data breach. It's now also a service where people can sign up to get notified whenever their accounts get breached. It's perhaps the most useful, free, cybersecurity service in the world. Hunt said he's already had informal conversations with some organizations that might be interested in buying the service. Hunt said he's engaged the financial consulting firm KPMG to look for a buyer.

In the post, Hunt shared some staggering numbers that explain just how big Have I Been Pwned has become: 8 billion breached records, nearly 3 million people subscribed to notifications, who have been emailed about a breach 7 million times, 150,000 unique visitors to the site on a normal day, 10 million on an abnormal day. Regardless of who buys the site, Hunt made a series of commitments on the future of Have I Been Pwned: searches should remain free for consumers, the platform should expand and grow, and, finally, he wants to stay involved in some capacity.

An anonymous reader quotes a report from the BBC: Controversial internet entrepreneur Kim Dotcom has begun a final appeal to halt his extradition from New Zealand to the U.S. on copyright-related charges. The FBI claims Mr Dotcom's Megaupload site earned millions of dollars by facilitating illegal file-sharing. But his lawyers told New Zealand's Supreme Court on Monday it was never meant to encourage copyright breaches. Mr Dotcom, who denies the charges, could face a lengthy jail term in the U.S. if extradited and found guilty.

Mathias Ortmann, Bram van der Kolk and Finn Batatom -- all former Megaupload executives -- stand accused of the same charges, which include conspiracy to commit racketeering, copyright infringement, money laundering and wire fraud. The US Department of Justice has been trying to extradite the men since 2012, and in 2015 a New Zealand district court said it would permit the move. The defendants have since lodged unsuccessful appeals at the High Court and Court of Appeal, leading to a final push this week at the Supreme Court. "In 2005 I created a website that allowed people to upload files to the cloud. At the time only small files could be attached to emails. Megaupload allowed users to email a link to a file. That's it," Dotcom wrote on Twitter yesterday. "In 2019 the NZ Supreme Court decides if I should be extradited for this 'crime.'"

As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra. From a report: Proven Data promised to help ransomware victims by unlocking their data with the "latest technology," according to company emails and former clients. Instead, it obtained decryption tools from cyberattackers by paying ransoms, according to Storfer and an FBI affidavit obtained by ProPublica. Another U.S. company, Florida-based MonsterCloud, also professes to use its own data recovery methods but instead pays ransoms, sometimes without informing victims such as local law enforcement agencies, ProPublica has found. The firms are alike in other ways. Both charge victims substantial fees on top of the ransom amounts. They also offer other services, such as sealing breaches to protect against future attacks. Both firms have used aliases for their workers, rather than real names, in communicating with victims.

The payments underscore the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion. Since some victims are public agencies or receive government funding, taxpayer money may end up in the hands of cybercriminals in countries hostile to the U.S. such as Russia and Iran.

In a report published Thursday, researchers at the threat-research company Advanced Intelligence (AdvIntel) revealed that a collective of Russian and English-speaking hackers are actively marketing the spoils of data breaches at three US-based antivirus software vendors. From a report: The collective, calling itself "Fxmsp," is selling both source code and network access to the companies for $300,000 and is providing samples that show strong evidence of the validity of its claims. Yelisey Boguslavskiy, director of research at AdvIntel, told Ars that his company notified "the potential victim entities" of the breach through partner organizations; it also provided the details to US law enforcement. In March, Fxmsp offered the data "through a private conversation," Boguslavskiy said. "However, they claimed that their proxy sellers will announce the sale on forums."

In an interview at the TIME 100 Summit in New York, Apple CEO Tim Cook said more government regulation on the tech industry is needed in order to protect privacy. "We all have to be intellectually honest, and we have to admit that what we're doing isn't working," said Cook. "Technology needs to be regulated. There are now too many examples where the no rails have resulted in a great damage to society." Time Magazine reports: In the interview, Cook suggested that U.S. regulators could look to Europe's passage of the General Data Protection Regulation (GDPR) in 2018. "GDPR isn't ideal," said Cook. "But GDPR is a step in the right direction." In light of recent data breaches and foreign election influence through social media, Cook's view is that the tech industry has no other responsible option but to accept more government oversight, a position he outlined in a recent TIME Ideas piece.

"I'm hopeful," Cook said at the Summit. "We are advocating strongly for regulation -- I do not see another path." Cook also explained Apple's stance on transparency and money in politics. "We focus on policies, not politics," Cook said. "Apple doesn't have a PAC...I refuse to have one because it shouldn't exist." [...] "I try not to get wrapped up in a pretzel about who we upset," Cook said. "At the end of the day we'll be judged more on 'did we stand up for what we believed in,' not necessarily, 'do they agree with it.'"

Bearhouse shares a new study from the UK's "National Cyber Security Centre," which advises the public on computer security, about the world's most-frequently cracked passwords. It's probably no surprise to the Slashdot readership: people use bad passwords. A recent study of publicly-available "hacked" accounts -- by the UK National Cyber Security Centre -- reveals "123456" was top, followed by the much more secure "123456789" and hard-to-guess "qwerty". If you're a soccer (football) fan, then try "Liverpool" or "Chelsea" -- they'll work in more than half a million cases. Finally, for musicians, Metallica gets beaten down by 50cent, 140k to 190k respectively.
The most common fictional names used as passwords were "superman" (333,139 users), "naruto" (242,749), "tigger" (237,290), "pokemon" (226,947), and "batman" (203,116).

The organization recommends instead choosing three random words as a password -- and also checking "password blacklists" that show passwords that have already been found in past data breaches. (Developers and sysadmins are also advised to implement these checks as part of their rules for which user passwords will be allowed.) The organization also released a file from the "Have I Been Pwned" site containing the top 100,000 passwords.

So what are the top ten most-frequently used passwords?

• 123456
• 123456789
• qwerty
• password
• 111111
• 12345678
• abc123
• 1234567
• password1
• 12345

Two out of three hotel websites inadvertently leak guests' booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec on Wednesday. From a report: The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Marriott International disclosed one of the worst data breaches in history. Symantec said Marriott was not included in the study. Compromised personal information includes full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals who are increasingly interested in the movements of influential business professionals and government employees, Symantec said.

Yahoo is offering to pay $117.5 million to settle its massive data breaches that compromised personal information, including email addresses and passwords. "The proposed settlement was announced on Tuesday, but still needs to be approved by U.S. District Judge Lucy Koh," reports CNN. From the report: Earlier this year, a different version of the class-action settlement was rejected by Koh, who wanted to see more benefit to consumers and a specific settlement amount. Yahoo was hit by multiple data breaches from 2013 to 2016. The 2013 breach affected every single customer account that existed at the time, which totaled 3 billion. Yahoo previously said names, email addresses and passwords were compromised but not financial information.

A new online tool "analyzes publicly disclosed data breaches and gives concrete advice to victims," reported CNET last week. Now the site's creator, data breach expert jimvandyke, is asking Slashdot's readers for feedback: At BreachClarity.com, just enter the name of any data breach you were in (such as 'Anthem', 'Equifax', 'Yahoo', etc.), and click the bright green 'search' button. Every publicly-reported breach since January 2017 (and noteworthy older ones) are in the database, and eventually every publicly-reported breach will be in the database, thanks to my non-profit partner the IDTheftCenter.org (ITRC). Breach Clarity is now available for free in basic form to consumers, as a very simple UI sitting in front of a comprehensive algorithm of my own design.

The goal of Breach Clarity is to help people by demystifying how any new data breach creates identity-holder risk of identity theft, identity fraud, and other harms. My goal in creating Breach Clarity is to move past the myths and victim-blaming (for instance, my research finds that very few people are actually 'apathetic' or 'lazy' when it comes to security, and it's simply not true that 'everyone's data is all already out there' for any cyber-criminal who wants to commit fraud in another person's name).

Breach Clarity uses dynamic research, technology, and design-thinking to protect people in the face of an onslaught of ongoing data breaches (The ITRC recorded 1,244 publicly reported US ones last year, leading to over $10B in annual identity crimes as reported by my former company Javelin Strategy & Research!)... If you like what you see, please use it and spread the word.
The original submission says the site's creator is currently "a one-person pre-funded operation, aiming to create an advanced and more full-featured version of Breach Clarity that will be licensed for financial institutions and employers." But if this is beta testing, there's some great technical support. "If you're confused by what you see, you can actually call the phone number in the upper right of BreachClarity and talk to a real person for free. You'll reach my partner, the ITRC, who gets grant funding from law enforcement and foundations."

CNET notes that "You can already find out if you've lost login credentials and other sensitive information by visiting Have I Been Pwned or Firefox Monitor. Breach Clarity takes things a step further by helping you decide what to do afterward."

On Wednesday, Sen. Elizabeth Warren (D-MA) introduced a new piece of legislation that would make it easier to criminally charge company executives when Americans' personal data is breached. From a report: The Corporate Executive Accountability Act is yet another push from Warren who has focused much of her presidential campaign on holding corporations and their leaders responsible for both their market dominance and perceived corruption. The bill, if approved, would widen criminal liability of "negligent" executives of corporations (that make more than $1 billion) when they commit crimes, repeatedly break federal laws, or harm a large number of Americans by way of civil rights violations, including their data privacy. "When a criminal on the street steals money from your wallet, they go to jail. When small-business owners cheat their customers, they go to jail," Warren wrote in a Washington Post op-ed published on Wednesday morning. "But when corporate executives at big companies oversee huge frauds that hurt tens of thousands of people, they often get to walk away with multimillion-dollar payouts."

Researchers at UpGuard, a cybersecurity firm, found troves of Facebook user information hiding in plain sight, inadvertently posted publicly on Amazon.com's cloud computing servers. From a report: The discovery shows that a year after the Cambridge Analytica scandal exposed how unsecure and widely disseminated Facebook users' information is online, companies that control that information at every step still haven't done enough to seal up private data, Bloomberg News reports. In one instance, Mexico City-based media company Cultura Colectiva openly stored 540 million records on Facebook users, including identification numbers, comments, reactions and account names. That database was closed on Wednesday after Bloomberg alerted Facebook to the problem and Facebook contacted Amazon. Facebook shares pared their gains after the Bloomberg News report. UpGuard adds: The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers. As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.

Police in Australia have arrested a man who allegedly made AU $300,000 (US $211,000) running a website which sold the account passwords of popular online subscription services including Netflix, Spotify, Hulu, PSN, and Origin. From a report: The 21-year-old man was arrested on Tuesday in Sydney, Australia, following an international investigation by the FBI and the Australian Federal Police into the website Wicked Gen. The Wicked Gen website bragged that it had over 120,000 users and almost one million sets of account details, offering monthly and yearly membership plans for those who wanted "access to thousands of premium accounts across a huge range of services." The account passwords, however, were not obtained via legitimate means. Instead the details were typically obtained through credential stuffing using swathes of usernames and passwords leaked through other data breaches, without the knowledge of their genuine owners.

Apple is already running on 100% green energy, according to Fast Company. But Apple is still "keen to show it's a good corporate citizen," reports the Australian Financial Review: Apple's annual supplier responsibility report released on Thursday revealed 20 manufacturing supplier facilities had been removed from the company's supply chain for breaches of environmental permits or workplace rules. "Smelters and refiners deeper in our supply chain are held to similar standards and if they exhibit a lack of commitment to meet our supplier code of conduct, they risk losing Apple's business," the report said...

In 2018, Apple completed 770 audits of its supplier manufacturing facilities, logistics and repair centres and contact centre facilities. There were also 279 third-party mineral smelter and refiner audits conducted... Apple's 13th annual supplier responsibility progress report said all final assembly points for iPhone, iPad, Mac, Apple Watch, AirPods and HomePod, were now certified zero waste to landfill, while conserving billions of litres of water and reducing greenhouse gas emissions.

Apple's suppliers in 45 countries have diverted 1 million tonnes of garbage in three years, saved 28.7 gigalitres of water and reduced greenhouse gas emissions by more than 466,000 annualised metric tons, which is the equivalent to taking 100,000 cars off the road for one year.