Twenty years ago, pinball seemed to be circling the drain. In the 1980s and 1990s video games stole market share from the mechanical sort, and home games-consoles stole market share from arcades. By 2000 WMS, the Chicago-based maker of the Bally and Williams brands of pinball machines, then the biggest manufacturer, closed its loss-making pinball division to focus on selling slot machines. Yet today, pinball is thriving again, both at places like Logan Arcade and in people's homes. Economist: Sales of new machines have risen by 15-20% every year since 2008, says Zach Sharpe, of Stern Pinball, which after WMS closed became the last remaining major maker. "We have not looked back," he says. Next year the firm is moving to a new factory, twice the size of its current one, in the north-west suburbs of Chicago. Sales of used machines are more buoyant still -- some favourites, such as Stern's Game of Thrones-themed game, can fetch prices well into five figures. Josh Sharpe, Zach's brother and president of the International Flipper Pinball Association, says that last year the IFPA approved 8,300 "official" tournaments, a four-fold increase on 2014.

What is driving the boom? Much of it is nostalgia. A generation raised on pinball in arcades in the 1980s and 1990s are now at an age where they have disposable income, and kids with whom they want to play the games they played as children. Marty Friedman, who runs an arcade in Manchester, a tourist town in southern Vermont, says that he and his wife opened their business after he realised it would allow him to indulge his hobby. "I compiled a list of the games I felt were essential to a collection you would deem museum-worthy," he said, and went about acquiring them. But canny marketing is also drawing in fresh blood. Newer Stern machines are now connected to the internet, so players can log in and have their scores uploaded to an online profile. Both Sharpes suggest that the mechanical nature of the games appeals to people bored with purely screen-based play.

An anonymous reader quotes a report from KrebsOnSecurity: A sprawling online company based in Georgia that has made tens of millions of dollars purporting to sell access to jobs at the United States Postal Service (USPS) has exposed its internal IT operations and database of nearly 900,000 customers. The leaked records indicate the network's chief technology officer in Pakistan has been hacked for the past year, and that the entire operation was created by the principals of a Tennessee-based telemarketing firm that has promoted USPS employment websites since 2016. KrebsOnSecurity was recently contacted by a security researcher who said he found a huge tranche of full credit card records exposed online, and that at first glance the domain names involved appeared to be affiliated with the USPS. Further investigation revealed a long-running international operation that has been emailing and text messaging people for years to sign up at a slew of websites that all promise they can help visitors secure employment at the USPS.

Sites like FederalJobsCenter[.]com also show up prominently in Google search results for USPS employment, and steer applicants toward making credit card "registration deposits" to ensure that one's application for employment is reviewed. These sites also sell training, supposedly to help ace an interview with USPS human resources. FederalJobsCenter's website is full of content that makes it appear the site is affiliated with the USPS, although its "terms and conditions" state that it is not. Rather, the terms state that FederalJobsCenter is affiliated with an entity called US Job Services, which says it is based in Lawrenceville, Ga. The site says applicants need to make a credit card deposit to register, and that this amount is refundable if the applicant is not offered a USPS job within 30 days after the interview process. But a review of the public feedback on US Job Services and dozens of similar names connected to this entity over the years shows a pattern of activity: Applicants pay between $39.99 and $100 for USPS job coaching services, and receive little if anything in return. Some reported being charged the same amount monthly. Michael Martel, spokesperson for the United States Postal Inspection Service, said in a written statement that the USPS has no affiliation with the websites or companies named in this story.

"To learn more about employment with USPS, visit USPS.com/careers," Martel wrote. "If you are the victim of a crime online report it to the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. To report fraud committed through or toward the USPS, its employees, or customers, report it to the United States Postal Inspection Service (USPIS) at www.uspis.gov/report."

A list of all the current sites selling this product can be found in Krebs' report.

Amazon has launched its Anti-Counterfeiting Exchange (ACX), an initiative to help retail stores label and track marketplace counterfeits as part of the e-commerce giant's efforts to crack down on organized crime on its platform, the company announced on Thursday. From a report: Online marketplaces in the United States including Amazon face hurdles in keeping counterfeiters off their platforms and fake merchandise from entering their warehouses. The new program mimics data exchange programs by the credit card industry to find scammers and identify their tactics. Stores and Amazon marketplace sellers can anonymously contribute information and records flagging counterfeiters to a third-party database or use the database to avoid doing business with the bad actors.

"We think it is critical to share information about confirmed counterfeiters to help the entire industry stop these criminals earlier," Dharmesh Mehta, Amazon's vice president of selling partner services, said in a statement. The Seattle-based retail giant piloted the anti-counterfeiting initiative in 2021 with an undisclosed number of apparel, home goods and cosmetics stores, where counterfeiting is most common.

Online image hosting service Imgur is updating its Terms of Service on May 15th to prohibit nudity and sexually explicit content, among other things. The news arrived in an email sent to "Imgurians". The changes have since been outlined on the company's "Community Rules" page, which reads: Imgur welcomes a diverse audience. We don't want to create a bad experience for someone that might stumble across explicit images, nor is it in our company ethos to support explicit content, so some lascivious or sexualized posts are not allowed. This may include content containing:

- the gratuitous or explicit display of breasts, butts, and sexual organs intended to stimulate erotic feelings
- full or partial nudity
- any depiction of sexual activity, explicit or implied (drawings, print, animated, human, or otherwise)
- any image taken of or from someone without their knowledge or consent for the purpose of sexualization
- solicitation (the uninvited act of directly requesting sexual content from another person, or selling/offering explicit content and/or adult services)

Content that might be taken down may includes: see-thru clothing, exposed or clearly defined genitalia, some images of female nipples/areolas, spread eagle poses, butts in thongs or partially exposed buttocks, close-ups, upskirts, strip teases, cam shows, sexual fluids, private photos from a social media page, or linking to sexually explicit content. Sexually explicit comments that don't include images may also be removed.

Artistic, scientific or educational nude images shared with educational context may be okay here. We don't try to define art or judge the artistic merit of particular content. Instead, we focus on context and intent, as well as what might make content too explicit for the general community. Any content found to be sexualizing and exploiting minors will be removed and, if necessary, reported to the National Center for Missing & Exploited Children (NCMEC). This applies to photos, videos, animated imagery, descriptions and sexual jokes concerning children. The company is also prohibiting hate speech, abuse or harassment, content that condones illegal or violent activity, gore or shock content, spam or prohibited behavior, content that shares personal information, and posts in general that violate Imgur's terms of service. Meanwhile, "provocative, inflammatory, unsettling, or suggestive content should be marked as Mature," says Imgur.

Online tax-filing services from TurboTax and H&R Block "want to blab your tax return secrets," warns the Washington Post. "Why? To help them make more money." If you prepare your taxes online with TurboTax or H&R Block software, at some point you'll see a message that I found confusing. "We can help you do more," TurboTax says. In this case, that "help" is funneling the private information from your tax return to Intuit — the company that owns TurboTax, Credit Karma and accounting software QuickBooks. H&R Block offers to "personalize your H&R Block experience."

If you say yes, you're going to see email and other marketing from Intuit and H&R Block or its business partners that are tailored to what's in your tax return.

That might include how much money you make, how much you owe in student loans, the size of your tax return and your charitable contributions. For example, a credit card company might pay Intuit's Credit Karma to show offers to high-income people. Intuit knows that information from your tax return. The Washington Post technology columnist Geoffrey A. Fowler wrote last year about how these two companies grab for your secret tax return information. He dubbed it "the Facebook-ization of personal finance."

In a way, the tax prep companies are more aggressive than Facebook. What they're doing is mission creep. You might already be paying TurboTax and H&R Block to prepare or file your tax return. Now they also want your permission to pass along your secrets to make even more money off you.

"Rust" and "Cargo" are registered trademarks held by the Rust Foundation — the independent non-profit supporting Rust's maintainers. In August 1,000 people responded to the foundation's Trademark Policy Review Survey, after which the foundation invited any interested individuals to join their Trademark Policy Working Group (which also included Rust Project leaders). They've now created a draft of an updated policy for feedback...

Crate, RS, "Rustacean," and the logo of Ferris the crab are all available for use by anyone consistent with their definition, with no special permission required. Here's how the document's quick reference describes other common use-cases:

• Selling Goods — Unless explicitly approved, use of the Rust name or Logo is not allowed for the purposes of selling products/promotional goods for gain/profit, or for registering domain names. For example, it is not permitted to sell stickers of the Rust logo in an online shop for your personal profit.

• Showing Support of Rust — When showing your support of the Rust Project on a personal site or blog, you may use the Rust name or Logo, as long as you abide by all the requirements listed in the Policy. You may use the Rust name or Logo in social media handles, avatars, and emojis to demonstrate Rust Project support in a manner that is decorative, so long as you don't suggest commercial Rust affiliation.

• Inclusion of the Marks in Educational Materials — You may use the Rust name in book and article titles and the Logo in graphic components, so long as you make it clear that the Rust Project or Foundation has not reviewed/approved/endorsed your content.

There's also a FAQ, answering questions like "Can I use the Rust logo as my Twitter Avatar?" The updated policy draft says "We consider social media avatars on personal accounts to be fair use. On the other hand, using Rust trademarks in corporate social media bios/profile pictures is prohibited.... In general, we prohibit the modification of the Rust logo for any purpose, except to scale it. This includes distortion, transparency, color-changes affiliated with for-profit brands or political ideologies. On the other hand, if you would like to change the colors of the Rust logo to communicate allegiance with a community movement, we simply ask that you run the proposed logo change by us..."

And for swag at events using the Rust logo, "Merch developed for freebies/giveaways is normally fine, however you need approval to use the Rust Word and/or Logo to run a for-profit event. You are free to use Ferris the crab without permission... If your event is for-profit, you will need approval to use the Rust name or Logo. If you are simply covering costs and the event is non-profit, you may use the Rust name or Logo as long as it is clear that the event is not endorsed by the Rust Foundation. You are free to use Ferris the crab without permission."

The online shop Book Depository is due to close at the end of April, vendors and publishing partners have been told. This comes after the bookseller's parent company Amazon announced it had decided to "eliminate" a number of positions across its Devices and Books businesses. The Guardian reports: The Gloucester-based bookseller was founded in 2004 by Stuart Felton and Andrew Crawford, a former Amazon employee, with the mantra of "selling 'less of more' rather than'more of less'". It aimed to sell 6m titles covering a wide variety of genres and topics, as opposed to focusing solely on bestsellers. While originally a rival to Amazon, it was acquired by the retail giant in 2011, causing some in the publishing industry to worry about the tightening of the American company's "stranglehold" on the UK book trade.

According to the trade magazine the Bookseller, an email sent out to vendors and publishing partners explained that Book Depository will be closing, and that the last date customers will be able to place orders is 26 April. "Over the coming weeks we will complete a winding down of the business, including discontinuing our listings as a marketplace seller and closing our website," Andy Chart, head of vendor management, wrote. "I would like to take this opportunity to say a big thank you, from everyone at Book Depository and our book-loving customers, for your supportive partnership over the years in helping us to make printed books more accessible to readers around the world," he concluded.

Several domain names tied to Genesis Market, a bustling cybercrime store that sold access to passwords and other data stolen from millions of computers infected with malicious software, were seized by the Federal Bureau of Investigation (FBI) today. KrebsOnSecurity reports: Sources tell KrebsOnsecurity the domain seizures coincided with "dozens" of arrests in the United States and abroad targeting those who allegedly operated the service, as well as suppliers who continuously fed Genesis Market with freshly-stolen data. Active since 2018, Genesis Market's slogan has long been, "Our store sells bots with logs, cookies, and their real fingerprints." Customers could search for infected systems with a variety of options, including by Internet address or by specific domain names associated with stolen credentials.

But earlier today, multiple domains associated with Genesis had their homepages replaced with a seizure notice from the FBI, which said the domains were seized pursuant to a warrant issued by the U.S. District Court for the Eastern District of Wisconsin. But sources close to the investigation tell KrebsOnSecurity that law enforcement agencies in the United States, Canada and across Europe are currently serving arrest warrants on dozens of individuals thought to support Genesis, either by maintaining the site or selling the service bot logs from infected systems. The seizure notice includes the seals of law enforcement entities from several countries, including Australia, Canada, Denmark, Germany, the Netherlands, Spain, Sweden and the United Kingdom. [...]

One feature of Genesis that sets it apart from other bot shops is that customers can retain access to infected systems in real-time, so that if the rightful owner of an infected system creates a new account online, those new credentials will get stolen and displayed in the web-based panel of the Genesis customer who purchased that bot. "While some infostealers are designed to remove themselves after execution, others create persistent access," reads a March 2023 report from cybersecurity firm SpyCloud. "That means bad actors have access to the current data for as long as the device remains infected, even if the user changes passwords. SpyCloud says Genesis even advertises its commitment to keep the stolen data and the compromised systems' fingerprints up to date. "According to our research, Genesis Market had more than 430,000 stolen identities for sale as of early last year -- and there are many other marketplaces like this one," the SpyCloud report concludes.

The European Commission has adopted a new set of right to repair rules (PDF) that, among other things, will add electronic devices like smartphones and tablets to a list of goods that must be built with repairability in mind. The Register reports: The new rules will need to be need to be negotiated between the European Parliament and member states before they can be turned into law. If they are, a lot more than just repairability requirements will change. One provision will require companies selling consumer goods in the EU to offer repairs (as opposed to just replacing a damaged device) free of charge within a legal guarantee period unless it would be cheaper to replace a damaged item. Beyond that, the directive also adds a set of rights for device repairability outside of legal guarantee periods that the EC said will help make repair a better option than simply tossing a damaged product away.

Under the new post-guarantee period rule, companies that produce goods the EU defines as subject to repairability requirements (eg, appliances, commercial computer hardware, and soon cellphones and tablets) are obliged to repair such items for five to 10 years after purchase if a customer demands so, and the repair is possible. OEMs will also need to inform consumers about which products they are liable to repair, and consumers will be able to request a new Repair Information Form from anyone doing a repair that makes pricing and fees more transparent. The post-guarantee period repair rule also establishes the creation of an online "repair matchmaking platform" for EU consumers, and calls for the creation of a European repair standard that will "help consumers identify repairers who commit to a higher quality."

"Repair is key to ending the model of 'take, make, break, and throw away' that is so harmful to our planet, our health and our economy," said Frans Timmermans, EVP for the European Green Deal, which aims to make the whole of EU carbon neutral by 2050. On that note, the EC proposed a set of anti-greenwashing laws alongside passing its right to repair rule yesterday that would make it illegal to make any green claims about a product without evidence. Citing the fact that 94 percent of Europeans believe protecting the environment is important, the EC said its proposal covers any explicit, voluntarily-made claims "which relate to the environmental impact, aspect, or performance of a product or the trader itself." Any such claims, like a laptop being made from recycled plastic, would need to be independently verified and proven with scientific evidence, the EC said.

Grappling with slowing sales growth and rising costs, Amazon is squeezing more money from the nearly 2 million small businesses that sell products on its sprawling online marketplace. From a report: For the first time, Amazon's average cut of each sale surpassed 50% in 2022, according to a study by Marketplace Pulse, which sampled seller transactions going back to 2016. The research firm calculated the total cost of selling on Amazon by tallying the commission on each sale, fees for warehouse storage, packing and delivery, as well as money spent to advertise on a site where hundreds of millions of products jostle for attention. Paying Amazon for logistics services and advertising is optional, but most merchants consider these a necessary part of doing business.

Sellers have been paying Amazon more per transaction for six years in a row, according to Marketplace Pulse, but were able to absorb the increases because the company was attracting new customers and rapidly increasing sales. That abruptly changed when pandemic lockdowns eased and people began traveling and dining out again, sucking the oxygen out of online shopping. Last year, Amazon generated the slowest sales growth in its history.

An anonymous reader quotes a report from The Guardian: Pictures of 100 Birkin bags covered in shaggy, multi-colored fur have become the focus of a court dispute that will decide how digital artists can depict commercial activities in their art and cast new light on whether brands are protected in the metaverse. In the case, being heard this week in a New York federal courtroom, the luxury handbag maker Hermes is challenging an artist who sells the futuristic digital works known as NFTs or non-fungible tokens. Artist and entrepreneur Mason Rothschild created images of the astonishingly expensive Hermes handbag, the Birkin, digitally covered the bags in fur and turned the pictures into an "art project," which he called MetaBirkin. Then he sold editions of the images online for total earnings of more than $1m, according to court records.

Hermes promptly sued, claiming the artist was simply "a digital speculator who is seeking to get rich quick by appropriating" the Hermes brand. The "Metabirkins brand simply rips off Hermes's famous Birkin trademark by adding the generic prefix "meta," read the original complaint filed by Hermes in January last year, noting that the "meta" in the name refers to the digital metaverse now being pumped by technology innovators as the next big thing in tech profit-making. Rothschild, whose real name is Sonny Estival, countered that he has a first amendment right to depict the hard-to-buy, French handbags in his artwork, just as Andy Warhol portrayed a giant Campbell's soup cans in his famous pop culture silk screens. "I'm not creating or selling fake Birkin bags. I'm creating art works that depict imaginary, fur-covered Birkin bags," said Rothschild in a letter to the community after the case was filed. "The fact that I sell the art using NFTs doesn't change the fact that it's art." "One hurdle that Hermes will have to overcome in the case is the fact that US trademark law requires brands to register their trademarks for each specific type of use, so digital sales might require a separate registration," notes the report.

"In the end, [Michelle Cooke, a partner at the law firm Arentfox Schiff LLP, who advises brands on these types of trademark issues] says the decision might come down to whether the jury believes Rothschild did the MetaBirkin project as an artistic project 'or was it a money-making venture that he cast as an artistic project when he got into trouble.'"

An anonymous reader quotes a report from KrebsOnSecurity: Julius "Zeekill" Kivimaki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimaki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest. [...] According to the French news site actu.fr, Kivimaki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimaki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument. Police responding to the scene were admitted by another woman -- possibly a roommate -- and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6 3 blonde, green-eyed man presented an ID that stated he was of Romanian nationality. The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimaki and took him into custody.

Kivimaki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimaki's involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP. Finnish police said Kivimaki also used the nicknames "Ryan", "RyanC" and "Ryan Cleary" (Ryan Cleary was actually a member of a rival hacker group -- LulzSec -- who was sentenced to prison for hacking). Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimaki's alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimaki was 15 years old at the time. In 2013, investigators going through devices seized from Kivimaki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe's ColdFusion software.

Multiple law enforcement sources told KrebsOnSecurity that Kivimaki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimaki. Kivimaki also was involved in calling in multiple fake bomb threats and "swatting" incidents -- reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

An anonymous reader quotes a report from TechCrunch: If you recently made a purchase from an overseas online store selling knockoff clothes and goods, there's a chance your credit card number and personal information were exposed. Since January 6, a database containing hundreds of thousands of unencrypted credit card numbers and corresponding cardholders' information was spilling onto the open web. At the time it was pulled offline on Tuesday, the database had about 330,000 credit card numbers, cardholder names, and full billing addresses -- and rising in real-time as customers placed new orders. The data contained all the information that a criminal would need to make fraudulent transactions and purchases using a cardholder's information.

The credit card numbers belong to customers who made purchases through a network of near-identical online stores claiming to sell designer goods and apparel. But the stores had the same security problem in common: Any time a customer made a purchase, their credit card data and billing information was saved in a database, which was left exposed to the internet without a password. Anyone who knew the IP address of the database could access reams of unencrypted financial data. Anurag Sen, a good-faith security researcher, found the exposed credit card records and asked TechCrunch for help in reporting it to its owner. Sen has a respectable track record of scanning the internet looking for exposed servers and inadvertently published data, and reporting it to companies to get their systems secured.

But in this case, Sen wasn't the first person to discover the spilling data. According to a ransom note left behind on the exposed database, someone else had found the spilling data and, instead of trying to identify the owner and responsibly reporting the spill, the unnamed person instead claimed to have taken a copy of the entire database's contents of credit card data and would return it in exchange for a small sum of cryptocurrency. A review of the data by TechCrunch shows most of the credit card numbers are owned by cardholders in the United States. [...] Internet records showed that the database was operated by a customer of Tencent, whose cloud services were used to host the database. TechCrunch contacted Tencent about its customer's database leaking credit card information, and the company responded quickly. The customer's database went offline a short time later. Many of the stores leaking customers' information claim to operate out of Hong Kong and were set up in the past few weeks. Some of the websites include: spraygroundusa.com, ihuahebuy.com, igoodlinks.com, ibuysbuy.com, lichengshop.com, hzoushop.com, goldlyshop.com, haohangshop.com, twinklebubble.store, and spendidbuy.com.

Perhaps the biggest reason TVs have gotten so much cheaper than other products is that your TV is watching you and profiting off the data it collects. From a report: Modern TVs, with very few exceptions, are "smart," which means they come with software for streaming online content from Netflix, YouTube, and other services. Perhaps the most common media platform, Roku, now comes built into TVs made by companies including TCL, HiSense, Philips, and RCA. But there are many more operating systems: Google has Google TV, which is used by Sony, among other manufacturers, and LG and Samsung offer their own.

Smart TVs are just like search engines, social networks, and email providers that give us a free service in exchange for monitoring us and then selling that info to advertisers leveraging our data. These devices "are collecting information about what you're watching, how long you're watching it, and where you watch it," Willcox said, "then selling that data -- which is a revenue stream that didn't exist a couple of years ago." There's nothing particularly secretive about this -- data-tracking companies such as Inscape and Samba proudly brag right on their websites about the TV manufacturers they partner with and the data they amass.

The companies that manufacture televisions call this "post-purchase monetization," and it means they can sell TVs close to at cost and still make money over the long term by sharing viewing data. In addition to selling your viewing information to advertisers, smart TVs also show ads in the interface. Roku, for example, prominently features a given TV show or streaming service on the right-hand side of its home screen -- that's a paid advertisement. Roku also has its own ad-supported channel, the Roku Channel, and gets a cut of the video ads shown on other channels on Roku devices.

We're buying more things online, the Washington Post notes. But how we buy may be changing too: For the first time in years, Google and Meta have grabbed less than half of the digital marketing money spent in the United States in 2022. Amazon, which took more than 11 percent of all digital ads purchased, was the biggest reason Google and Meta lost ground as advertising powerhouses, according to the research firm Insider Intelligence.

In part because of Amazon's success with paid product promotions, Walmart, Target, the grocery delivery company Instacart, drugstore chain Walgreens and other retailers are also putting a higher priority on tailoring commercials to influence what you buy, advertising specialists said. Another reason these ads are spreading is that retailers' knowledge of what you buy is valuable, especially now that there are more limitations on how internet powers such as Facebook can follow everything you do to target you with ads.

Like Google and Facebook, stores are trying to use as much information as they can find about you to steer your choices. One difference from Google and Facebook is that retailers like Amazon and Walmart make money from influencing what you buy and from selling you the product.

The thing is ... these ads seem to work on you. And that's why paid product persuasion is likely here to stay.

Sports betting company DraftKings revealed last week that more than 67,000 customers had their personal information exposed following a credential attack in November. BleepingComputer reports: In credential stuffing attacks, automated tools are used to make a massive number of attempts to sign into accounts using credentials (user/password pairs) stolen from other online services. [...] In a data breach notification filed with the Main Attorney General's office, DraftKings disclosed that the data of 67,995 people was exposed in last month's incident. The company said the attackers obtained the credentials needed to log into the customers' accounts from a non-DraftKings source.

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions, account balance, and last date of password change," the breach notification reads. "At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number. While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."

After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts. It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November. The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts. While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35. The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts. "After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working," adds the report.

"The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests."

Until 2020 Neustar was the domain name registry "for a number of top-level domains," according to its page on Wikipedia, "including .biz, .us (on behalf of United States Department of Commerce), .co, .nyc (on behalf of the city of New York), and .in.

But now U.S. Senator Ron Wyden has asked America's Federal Trade Commission to investigate whether Neustar violated the privacy rights of millions, reports the Washington Post, "when it sold records of where they went online to the federal government."

America's Department of Defense funded a research team at Georgia Tech who purchased Neustar's data starting in 2016, notes a letter from Senator Wyden. Wyden has obtained emails between those researchers and "both the FBI and the Department of Justice, indicating that government officials asked the researchers to run specific queries and that the researchers wrote affidavits and reports for the government describing their findings."

But in addition, Wyden now cites a Department of Justice statement (entered an unrelated court case) which he says makes a concerning assertion: that Neustar executive Rodney Joffe, "who led the company's efforts to sell data to Georgia Tech, was also involved in the sale of DNS data directly to the U.S. government. The court documents say: Rodney Joffe and certain companies with which he was affiliated, including officers and employees of those companies, have provided assistance to and received payment from multiple agencies of the United States government. This has included assistance to the United States intelligence community and law enforcement agencies on cyber security matters. Certain of those companies have maintained contracts with the United States government resulting in payment by the United States of tens of millions of dollars for the provision of, among other things, Domain Name System ('DNS') data. These contracts included classified contracts that required company personnel to maintain security clearances.
From The Washington Post: The stipulation naming entrepreneur Rodney Joffe was the clearest confirmation to date of web histories being sold directly to federal law enforcement and intelligence agencies, instead of through information brokers exempt from restrictions on what telephone companies and websites can share with the government.
Wyden adds: The data that Neustar sold to Georgia Tech may have also included data collected from consumers who were explicitly promised that their data would not be sold to third parties. Between 2018 and 2020, Neustar acquired a competing recursive DNS service, which had previously been operated by Verisign. That service had been advertised to the public by Verisign with unqualified promises that "your public DNS data will not be sold to third parties."

When the product changed hands, users of Verisign's service were seamlessly transitioned to DNS servers that Neustar controlled. This meant that Neustar now received information about the websites accessed by these former Verisign-users, even though neither Verisign nor Neustar provided those users with meaningful, effective notice that the change of ownership had taken place, or that Neustar did not intend to honor the privacy promises that Verisign had previously made to those users. It is unclear if the data Neustar sold to Georgia Tech included data from users who had been promised by Verisign that their data would not be sold.

This is because both Neustar and Verisign have refused to answer questions from my office necessary to determine this important detail.

Apple has announced that its Self Service Repair store for iPhones and MacBooks is now open for business in Europe. From a report: First announced last November, the repair program essentially enables anyone to purchase genuine Apple components to repair their damaged devices, while the Cupertino company also provides online manuals to guide consumers through the self-service repair process. It's worth noting that while the program is open to anyone where the repair store is available, repairing Apple's hardware probably isn't for the average consumer, as just getting into the devices to begin the repairs is a complex process. But for any have-a-go hero out there willing to invest a bit of time and money learning, Apple is also selling the tools necessary to carry out fault-specific repairs, with an option to rent a repair kit for $49 if they only have a one-off repair they wish to carry out.

An anonymous reader quotes a report from TechCrunch: The Cuba ransomware gang extorted more than $60 million in ransom payments from victims between December 2021 and August 2022, a joint advisory from CISA and the FBI has warned. The latest advisory is a follow-up to a flash alert (PDF) released by the FBI in December 2021, which revealed that the gang had earned close to $44 million in ransom payments after attacks on more than 49 entities in five critical infrastructure sectors in the United States. Since, the Cuba ransomware gang has brought in an additional $60 million from attacks against 100 organizations globally, almost half of the $145 million it demanded in ransom payments from these victims. "Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase," the two federal agencies said on Thursday.

Cuba ransomware actors, which have been active since 2019, continue to target U.S. entities in critical infrastructure, including financial services, government facilities, healthcare and public health, critical manufacturing and information technology. [...] FBI and CISA added that the ransomware gang has modified its tactics, techniques and procedures since the start of the year and has been linked to the RomCom malware, a custom remote access trojan for command and control, and the Industrial Spy ransomware. The advisory notes that the group -- which cybersecurity company Profero previously linked to Russian-speaking hackers -- typically extorts victims by threatening to leak stolen data. While this data was typically leaked on Cuba's dark web leak site, it began selling stolen data on Industrial Spy's online market in May this year. CISA and the FBI are urging at-risk organizations to prioritize patching known exploited vulnerabilities, to train employees to spot and report phishing attacks and to enable and enforce phishing-resistant multi-factor authentication.

Cryptocurrencies and NFTs have been formally disallowed from Grand Theft Auto Online's popular role-playing (RP) servers. That's according to a new set of guidelines posted on Rockstar's support site last Friday. From a report: In the note, the game's publisher says its new RP server rules are aligned with Rockstar's existing rules for single-player mods. Both sets of rules prohibit content that uses third-party intellectual property, interferes with official multiplayer services, or makes new "games, stories, missions or maps" for the game. This means RP servers based on re-creating Super Mario Kart in the Grand Theft Auto world, for instance, could face "priority in enforcement actions" from Rockstar. But the new RP guidelines surpass the existing single-player mod guidelines in barring "commercial exploitation." That's a wide-ranging term that Rockstar says specifically includes selling loot boxes, virtual currencies, corporate sponsorships, or any integrations of cryptocurrencies or "crypto assets (e.g. 'NFTs')."