Category Archives: インターネット・セキュリティとプライバシー

グーグルプラス終了へ 最大50万人分の個人情報漏洩隠蔽も明かす

また同社は個人情報漏えいを招いたこのバグについて、どのグーグルプラスアカウントが影響を受けたかを確認することはできず、ある分析によると最大で50万件ものアカウントが被害対象となった恐れもあると発表 (「グーグルプラス」終了へ、最大50万件の個人情報漏えいも認める AFP=時事 10/9(火) 5:04配信 YAHOO!JAPAN

Google+ software glitch reportedly may have exposed user data from CNBC.

 

Google exposed the personal information of hundreds of thousands of users of its Google+ social network, the company announced in a blog post this morning. The news, originally reported by The Wall Street Journal ahead of Google’s announcement, means that Google+ profile information like name, email address, occupation, gender, and age were exposed, even when that data was listed as private and not public. (Google hid major Google+ security flaw that exposed users’ personal information By Nick Statt@nickstatt Oct 8, 2018, 1:27pm EDT THE VERGE)

 

参考

  1. 「グーグルプラス」終了へ、最大50万件の個人情報漏えいも認める (AFP=時事 10/9(火) 5:04配信 YAHOO!JAPAN 504コメント
  2. Google hid major Google+ security flaw that exposed users’ personal information (By Nick Statt@nickstatt Oct 8, 2018, 1:27pm EDT THE VERGE)
  3. Google did not disclose security bug because it feared regulation, says report (Jillian D’Onfro | @jillianiles Published 6 Hours Ago Updated 9 Mins Ago, CNBC)
  4. Google Plus Shutting Down Wochit News 2018/10/08 に公開

メールアドレスとパスワードの流出

ソニーグループ1万7695件東芝グループ1万635件トヨタ自動車グループ8194件……。日本を代表する企業で働く社員の情報が、大量に流出していることが日経ビジネスの取材で明らかになった。確認したのは、メールアドレスとパスワードの組み合わせを記したリストだ。もともとは利用者が限られる闇サイトで売られていたが、現在は誰でもアクセスできるサイトを通じて無料でダウンロード可能な状態にある。リストに記されている組み合わせの総数は、16億件に達する。(パスワード16億件の流出を確認、ソニー、トヨタ自動車など日本企業の被害多数 2018年 9/7(金) 11:29配信 YAHOO!JAPANニュース 日経ビジネスONLINE)

 

日経ビジネスの記事が言及するリストが何かはわかりませんが、同様の話題の海外のサイトの記事も紹介しておきます。個人情報の流出は過去に何度も報じられています。

Their most recent find: a 41-gigabyte file that contains a staggering 1.4 billion username and password combinations.

The usernames and passwords have been collected from a number of different sources. 4iQ’s screenshot shows dumps from Netflix, Last.FM, LinkedIn, MySpace, dating site Zoosk, adult website YouPorn, as well as popular games like Minecraft and Runescape. (Dec 11, 2017, 02:45pm
File With 1.4 Billion Hacked And Leaked Passwords Found On The Dark Web. Lee Mathews)

While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.

The 41GB dump was found on 5th December 2017 in an underground community forum. The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869.

We’ve found that although the majority of these breaches are known within the Breach and Hacker community, 14% of exposed username/passwords pairs had not previously been decrypted by the community and are now available in clear text. (Julio Casal Dec 9, 2017 medium.com 1.4 Billion Clear Text Credentials Discovered in a Single Database)

 

One list, known as the “Anti Public Combo List“, contains 457,962,538 distinct email addresses, and although HIBP creator Troy Hunt, who first reported the discovery of the lists last Friday, has so far been unable to trace the source of the data, he believes it comes from multiple breaches rather than a single event. (Breach site finds 1 billion accounts in hacked datasets. Dale Walker. 9 May, 2017)

On Friday, Twitter user Chris Vickery teased world plus dog that he was going public on Monday with news of a massive data breach of 1.37 billion records. And that turned out to be as many as 1.37 billion contact details amassed by River City Media (RCM) – an internet marketing biz apparently based in Jackson, Wyoming, that claims to emit up to a billion emails a day.

The 200GB table includes real names, email addresses, IP addresses, and “often” physical addresses, it is claimed. Vickery said he “stumbled upon a suspicious, yet publicly exposed, collection of files,” and discovered the database and documents related to RCM. Among the millions and millions of contact details were chat logs and files exposing the sprawling RCM empire. It turns out the spamming, er, marketing biz has many tentacles and affiliates, mostly acting as web service providers and advertising operations. (That big scary 1.4bn leak was 100s of millions of email, postal addresses. Spammers, shockingly, hoard contact details on millions of netizens By John Leyden 7 Mar 2017 at 03:15 The Register)

 

I get a lot of requests from people for data from Have I been pwned (HIBP) that they can analyse. Now obviously, there are a bunch of people up to no good requesting the data but equally, there are many others who just want to run statistics. Regardless, the answer has always been “no”, I’m not going to redistribute data to you. In fact, the requests were happening so frequently that I even wrote the blog post No, I cannot share data breaches with you.

However, as part of HIBP’s 3rd birthday celebrations, I am going to share data with you, quite a lot of it. In fact, I’m opening up almost all the data in HIBP with a few very important caveats: (Here’s 1.4 billion records from Have I been pwned for you to analyse. 06 DECEMBER 2016 troyhunt.com

 

A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security – a US firm specialising in discovering breaches. Hold Security described the hack as the “largest data breach known to date”. It claimed the stolen information came from more than 420,000 websites, including “many leaders in virtually all industries across the world”. (Russia gang hacks 1.2 billion usernames and passwords (BBC 6 August 2014)

 

参考

  1. https://keybase.pub/lakofsth/breachcompilation.sortuniq.txt.7z
  2. ‘;–have i been pwned?
  3. There are currently 5,906 searchable databases on DeHashed.
  4. List of data breaches (Wikipedia)
  5. Yahoo! data breaches (Wikipedia)
  6. The 17 biggest data breaches of the 21st century. Taylor Armerding By Taylor Armerding CSO | JAN 26, 2018 3:44 AM PT

 

下は別の事件ですが。

They took the personal and financial details of customers who made, or changed, bookings on ba.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three digit CVC code required to authorise payments. Around 380,000 transactions were affected. (The British Airways hack is impressively bad. WIRED By MATT BURGESS Friday 7 September 2018)

米政府の日本盗聴をウィキリークスが公表

targettokyo

“… The lesson for Japan is this: do not expect a global surveillance superpower to act with honour or respect. There is only one rule: there are no rules.” (Julian Assange)

参考

  1. WikiLeaks Target Tokyo Today, Friday 31 July 2015, 9am CEST, WikiLeaks publishes “Target Tokyo”, 35 Top Secret NSA targets in Japan including the Japanese cabinet and Japanese companies such as Mitsubishi, together with intercepts relating to US-Japan relations, trade negotiations and sensitive climate change strategy. The list indicates that NSA spying on Japanese conglomerates, government officials, ministries and senior advisers extends back at least as far as the first administration of Prime Minister Shinzo Abe, which lasted from September 2006 until September 2007. The telephone interception target list includes the switchboard for the Japanese Cabinet Office; the executive secretary to the Chief Cabinet Secretary Yoshihide Suga; a line described as “Government VIP Line”; numerous officials within the Japanese Central Bank, including Governor Haruhiko Kuroda; the home phone number of at least one Central Bank official; numerous numbers within the Japanese Finance Ministry; the Japanese Minister for Economy, Trade and Industry Yoichi Miyazawa; the Natural Gas Division of Mitsubishi; and the Petroleum Division of Mitsui.
  2. 米の日本盗聴、個人宅も対象か 優先度つけ分類 (朝日新聞DIGITAL2015年8月1日):”ウィキリークスは、NSAのデータから日本国内の盗聴対象を抽出したとする電話番号のリストを公表した。ターゲットは内閣府や経済産業省などの省庁や日本銀行、大手民間企業にも及んでいる。”
  3. 米NSA、日本の内閣や各省庁、三菱などを盗聴か:Wikileaksが暴露(THE NEW CLASSIC 最終更新日:2015.08.01 / 公開日:2015.07.31):”またオーストラリアのTHE SATURDAY PAPERは、盗聴リストに菅官房長官や日銀・黒田東彦総裁などの番号が含まれていたことも報じている。”
  4. 日本盗聴:米、説明避ける「反応しない」 欧州と対応に差(毎日新聞 2015年08月01日 東京夕刊):”NSAによる同盟国も含む諸外国の盗聴は、13年に米中央情報局(CIA)元職員エドワード・スノーデン容疑者の情報などを元に各国で大きく報道された。対象とされた独仏など欧州諸国やブラジルなどは強く反発。公に米国を非難して説明を要求したり、首脳の訪米を見合わせたりした。NSAはメルケル独首相の携帯電話を盗聴していたとの疑惑もあり、オバマ氏は同年10月、「独首相の通信傍受をしない」と電話でメルケル氏に約束した。”

ソニー・ピクチャーズエンタテインメント(SPE)から流出した内部文書3万点と電子メール17万3千通をウィキリークスが公開

ウィキリークスは、ソニー・ピクチャーズエンタテインメント(SPE)から流出した内部文書3万点と電子メール17万3千通を2015年4月16日にウェブサイトで公開しました。これらの文書や電子メールは、キーワード検索可能になっています。

ジュリアン・アサンジュ代表は「影響力のある多国籍企業がどのように動いているのかを知ることができる。これはみなが共有する財産だ」とのコメントを出した。(朝日新聞DIGITAL)

Today, 16 April 2015, WikiLeaks publishes an analysis and search system for The Sony Archives: 30,287 documents from Sony Pictures Entertainment (SPE) and 173,132 emails, to and from more than 2,200 SPE email addresses. (https://wikileaks.org/sony/press/)

SPEは声明で、サイバー攻撃が悪意のある犯罪行為だったと指摘。流出した社員情報や非公開情報を検索可能にしたことを強く非難する、とした。(ロイター/ハフィントンポスト2015年04月17日)

参考

  1. ウィキリークス、ソニー子会社の流出文書公開 約3万点(朝日新聞DIGITAL 2015年4月17日):”内部告発サイト「ウィキリークス」は16日、昨年11月に北朝鮮に関係するとみられるハッカー集団によって大量に流出したソニー・ピクチャーズエンタテインメント(SPE)の内部文書約3万点を自らのサイト上で公開した。”
  2. ソニー・ピクチャーズがウィキリークス非難、流出文書ネット公開で(ロイター/ハフィントンポスト 2015年04月17日)