We’ve seen all kinds of data breaches from outside hackers, and occasionally, as happened with Twitter, breaches that occurred as outsiders phished employeee credentials for access, but for Shopify, the threat came from inside. The company’s software enables online shopping for other businesses, and in a blog post it revealed that two employees were caught “in a scheme to obtain customer transactional records of certain merchants.”

It’s unclear how much data they actually stole, which the blog post said came from fewer than 200 merchants. The information access included stuff like contact information as well as order details of what was purchased, but for now, the company says it did not include payment information like credit card or account numbers.

A bank spokesperson said the company had since poured “significant” resources into bolstering its security and otherwise addressing orders from both the OCC and the Federal Reserve.

The payout isn’t small, but it might not make many victims happy. The breach exposed sensitive details like addresses, reported income and (in some cases) account numbers and credit scores. Capital One did provide free credit monitoring and identity theft protection after the incident, but the payout still amounts to about 75 cents per person affected in North America. Like the Equifax breach, the compensation may seem small compared to the security precautions and stress inflicted on affected people.

Hunt noted there were a few reasons for this, including the prevalence of open source projects and the fact Have I Been Pwned has always been “open in spirit.” On a practical level, it’ll enable others to fix bugs and implement ideas that he’s not necessarily able to.

It’ll take some time to fully open up the code base, and Hunt plans to do so gradually. “The transition from completely closed to completely open will happen incrementally, bit by bit and in a fashion that’s both manageable and responsible,” he wrote.

It’s a complex process, especially when you consider the highly sensitive troves of data that make Have I Been Pwned an important service. While much of that data is already in the wild, Hunt said he needed to ensure “privacy controls prevail across the breach data itself even as the code base becomes more transparent.”

Some other services, particularly password managers, also help people monitor whether their data or credentials have been included in a breach. Still, Have I Been Pwned is perhaps the best-known such resource, allowing people to search find out whether their email address is among billions of records from hundreds of data breaches. Taking steps to ensure it’ll remain available in the long run is a welcome move on Hunt’s part.

Two weeks after a massive breach saw hackers take over some of the most prominent accounts on Twitter — including Barack Obama, Elon Musk, Joe Biden and Bill Gates — the company has published more details about how it happened. While a number of people from the “OGUsers” gray market forum provided details about a “Kirk” who was the source of access to internal tools, it was unclear how they came by that access in the first place.

Twitter

According to Twitter, the answer is a phone spear phishing attack that targeted a “small number” of employees who did not all have access to management tools. However, attackers then “used their credentials to access our internal systems and gain information about our processes.” Twitter didn’t confirm a report that the access came from finding logins for the admin tool in a Slack channel, but it didn’t quite rule that out either, nor did it provide any clarity about who may have been behind the initial attack.

Details continue to slowly come out from Twitter around the troubling attack on Wednesday that allowed hackers to tweet a Bitcoin spam message from high profile accounts. Tonight, the company revealed that based on its investigation so far, “we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of these accounts, the attackers were able to gain control of the accounts and then send Tweets from those accounts.”

A major question throughout has been whether hackers had access to DMs for accounts we know they compromised (Elon Musk, Bill Gates, Warren Buffett, Barack Obama, Joe Biden and others), or for ones that we don’t know about. Reports suggest whoever had access to its internal tools was prepared to use them days before the attacks started, and that they’d used them to take over other accounts before the spam messages popped up.

The campaign comes at a particularly bad time when the pandemic has forced a record number of people out of work. These scams force governments to look into scams right at a moment when many legitimate claimants — in at least one case, officials have needed to halt payments after discovering phony claims.

It’s not clear what action (if any) American authorities can take to stop the fraud. However, the scams underscore the importance of protecting against identity theft, both for individuals and companies. They also make clear that governments need to tighten online security for unemployment and other systems that require sensitive info — strict safeguards for data don’t matter if there aren’t enough checks to make sure it’s being used properly.

A string of data breaches is causing headaches for more than a few internet users. ZDNet has learned that the hacking group ShinyHunters is selling about 73.2 million user records the attackers say were stolen from numerous sites. About 30 million come from the dating app Zoosk, while 15 million are from the printing service Chatbooks. The rest come from a variety of sites, including the Star Tribune newspaper (1 million), South Korean fashion and furniture sites (8 million total) and the Chronicle of Higher Education (3 million).

While the legitimacy of some databases couldn’t be verified, ZDNet found that samples from the breach matched real records. Researchers in the community also believed that ShinyHunters was authentic.

Hackers don’t necessarily need to break into networks to compromise game companies — sometimes, it’s just about coercing the right people. An anonymous attacker talking to Motherboard has revealed that they bribed a Roblox customer support representative to get access to the customer support panel for the online game platform. The intruder could see email addresses, change passwords, strip two-factor authentication and even ban users.

This was done solely to “prove a point,” the hacker claimed. As evidence, they provided photos showing details of a handful of players, including high-profile examples. However, this wasn’t a strictly virtuous act — the perpetrator changed passwords for two accounts, sold items and updated two-factor settings once it became clear an attempt to claim a bug bounty (for a non-existent flaw) wasn’t going to work.

In a recent product update, Wyze outlined its plans for the Wyze Lock, outdoor camera, scale and doorbell cam, as well as the Wyze Band. Official information on the device is a little thin, but ZatzNotFunny has unearthed more details on what we can expect. As well as the usual activity tracking features and weather tools, the band will let users control Wyze devices straight from their wrist, as well as any number of Alexa devices, thanks to built-in Alexa capabilities. Smart phone notifications also appear to be included in the color screen device.

It looks like launch is a few months away yet, with Wyze noting in its product update that it expects to complete the beta phase soon and move on to preparing for the EA launch. No doubt the band — and indeed all of the products Wyze hopes to roll out this year — will be a harder sell, given its massive data breach last year. That being said, while there is no official pricing information available yet, we can expect the Wyze Band to represent an affordable way of getting Alexa on your wrist. With the company no doubt mindful of its security levels and taking steps to tighten its operations that might be enough to convince customers to give it a go.

In an email sent to customers this morning, Slickwraps says an “unauthorized party” accessed its private databases, and obtained customer names, emails and addresses. Slickwraps claims passwords and credit card information weren’t compromised.

“We are deeply sorry for this oversight. We promise to learn from this mistake and will make improvements going forward. This will include enhancing our security processes, improving communication of security guidelines to all Slickwraps employees, and making more of our user-requested security features our top priority in the coming months,” the company said. “We are also partnering with a third-party cybersecurity firm to audit and improve our security protocols.”

However, the scale and severity of the breach could be much more significant than Slickswraps is letting on. According to a security researcher who goes by the Twitter handle of Lynx, they reportedly tried to warn the company multiple times over the last several days about a massive vulnerability to their website. What’s worse, they claim all of their messages were ignored by Slickwraps. At one point, the company even went so far as to block Lynx’s Twitter account. Eventually, Lynx disclosed the breach in a Medium post that they’ve since deleted. Someone then used the information in the post to access the databases and email all of Slickwraps’ 377,428 customers, letting them know of the breach before the company had said anything about it.

Well that’s a big old yikes from @SlickWraps pic.twitter.com/28SOEMIBZ9

— Toneman (@Toneman) February 21, 2020

In whatever way the scenario actually played out, it highlights just how frequent these types of breaches have become in recent years. As an individual, it’s hard for you to know when a website you’ve used in the past may get hacked, but by taking a couple of simple precautions you can minimize the effects on your online privacy.