Extensive Hacking Incidents Label 2013 ‘The Year of the Hack’
Add note-taking service Evernote to the long list of major companies hacked in 2013 which include: Apple, Twitter, Facebook, Microsoft, Tumblr, Burger King, Jeep and The New York Times. It impelled Evernote to issue a service-wide password reset.
The website that caused the hacking incidents was identified as iPhoneDevSDK, an online forum for software developers. The website’s owner, Ian Sefferman, told The Huffington Post that he was never contacted by Facebook or investigators looking into the attacks and only learned the site hosted malicious software, known as malware, when he was notified by a reporter at the tech blog AllThingsD.
The hackers behind the attacks appeared to be from Eastern Europe or Russia, and were trying to hack developers to steal company secrets and sell them on the underground market, according to Bloomberg.
Software developers are the hot new target for hackers because they have access to tech companies’ source code, which can be used to write new malware, known as zero days, for future attacks. In these attacks, the hackers couldn’t have known in advance which companies would be compromised but they did know they would ensnare software developers.
According to Sefferman, his website is “the most widely read dedicated iOS developer forum.” Most of the site’s approximately 200,000 registered users and visitors are software developers who discuss technical issues around building apps for the iPhone and iPad. Sefferman said his website is frequently targeted by hackers — and most recently by ones who gained access to an administrator’s account, and then injected malicious software into the site’s code that would infect site visitors.
Apple, Facebook and Twitter employees were victims of what security experts call a watering hole attack because they were lured to the source of the malware like animals stopping for a drink of water. The website then downloaded malware onto its visitors’ computers when they came to the site, giving the cyber criminals illegal access into a company’s computer network.
Sean Sullivan, a security adviser at Finland-based security firm F-Secure, told The Huffington Post he estimated hundreds of app developers at tech start-ups have been compromised by the attack but haven’t come forward publicly. He said, “There’s a very big, dark market for vulnerabilities and getting source code. If you can get the source code, that’s the mother lode.”
Twitter’s systems were compromised and 250,000 user accounts exposed and is looking to add another layer of protection to its user authentication. Investigators were still trying to determine what the hackers did once they had access to Apple and Facebook. All three companies said no user data was taken in their security breach.
Evernote says that no content or payment information was accessed, although hackers did acquire usernames, email addresses, and encrypted passwords. After suffering a data breach that caused the company to reset passwords for all of its 50 million users, Evernote announced that it plans to adopt two-factor authentication as quickly as possible.
“We were already planning to roll out optional two-factor authentication to all of our users later this year,” said Evernote spokeswoman Ronda Scott via email. “We are accelerating those plans now.”
Overall, the tech heavyweights managed to defend themselves reasonably well. Apple said it plans to release a piece of software that customers can use to identify and repair Macs infected with the malware used in the attacks. These targets have been unusually forthright of informing the public that they’ve been hacked. In this recent wave of breaches, it hasn’t affected user data for the most part, which would legally require the hacked companies to give public notification. These companies (Facebook included) have not been legally compelled to say they’d been hacked at all, but have made an effort at transparency by doing so.
Merchant Express® reminds our clients that the PCI Data Security Standard can help protect cardholder data and prevent theft. Remember that PCI compliance is an ongoing process, not a one-time event in your business life.