Plus, Instagram gets smacked with a fine and a large school district gets smacked with ransomware.
TikTok denies the claims made by hacking group AgainstTheWest that it breached an Alibaba cloud database containing 2.05 billion records including TikTok source code and user data. The hacking group posted screenshots of the “stolen” data on a hacking forum, but TikTok told BleepingComputer that the data was “completely unrelated” to the company. It said the source code in the screenshots was not its own and that there are safeguards in place to prevent direct scraping of the platform.
“In this case it seems TikTok did not have a data breach,” commented Avast Security Evangelist Luis Corrons. “Even though the leaked data seems to be valid, all that information was already publicly available. Still, we must remember that any personal data we host anywhere is susceptible to being compromised, which is why we have to be especially careful when we decide to upload our personal information online.”
Law enforcement uses “Fog Reveal” for mass surveillance
According to public records and internal emails obtained by the Electronic Frontier Foundation (EFF) and shared with The Associated Press (AP), law enforcement agencies across America have been using a cellphone tracking tool called Fog Reveal to search hundreds of billions of cellphone records, sometimes without a warrant. Sold by Virginia-based Fog Data Science LLC, Fog Reveal has been in use since 2018. It tracks advertising identification numbers assigned to devices by popular apps like Waze or Starbucks. “It’s sort of a mass surveillance program on a budget,” observed one EFF advisor. See The AP’s full report for more.
GDPR fines Instagram €405 million
As a penalty for breaching the EU’s General Data Protection Regulation (GDPR), Ireland’s Data Protection Commission (DPC) has fined Instagram €405 million. Full details about the decision will come out next week. The complaint focuses on the way Instagram processes children’s data for business accounts, which results in minors’ accounts being set to “public” by default. The GDPR requires privacy by design and by default, as well as provisions that enhance the protection of children’s information. For more on this story, see TechCrunch.
Ransomware strikes Los Angeles school district
LAUSD, the second largest school district in the nation, was hit with a ransomware attack last weekend. “While the District’s ability to intercept the attack by deactivating all our systems was the swift, decisive and prudent action to avoid a catastrophic breach, the recovery from the disruption has proven more challenging than initially anticipated,” the District reported in a bulletin. Despite the disruption, Los Angeles students attended school this week as though nothing had happened. Teachers and students are currently in the process of resetting all their passwords in order to be reconnected with the District’s tech network. See ZDNet for more.
Worok group targets Asian & African governments
A hacking group dubbed Worok has been observed targeting both public and private sectors in Asia and Africa, with an emphasis on government entities. Researchers say the group has been active since late 2020, with a long period of inactivity from May 2021 to January 2022. Judging by the toolset the group uses, its primary interest seems to be information stealing. Worok gains initial footholds in its target networks through the use of ProxyShell exploits, followed by the deployment of additional backdoors for entrenched access. To learn more about these attacks, see The Hacker News.
This week’s must-read on the Avast blog
The beginning of the school year is the perfect time to boost your child’s digital literacy by talking to them about online safety, cybersecurity in school, and celebrating their digital milestones. Here are our top tips and tricks for back to school.