Headline
Slack Discloses Breach of Its Github Code Repository
Plus: Russian spies uncovered in Europe, face recognition leads to another wrongful arrest, a new porn ID law, and more.
Ever since Elon Musk spent $44 billion on Twitter and laid off a large percentage of the company’s staff, there have been concerns about data breaches. Now it seems a security incident that predates Musk’s takeover is causing headaches. This week, it emerged that hackers released a trove of 200 million email addresses and their links to Twitter handles, which were likely gathered between June 2021 and January 2022. The sale of the data may put anonymous Twitter accounts at risk and heap further regulatory scrutiny on the company.
WhatsApp has launched a new anti-censorship tool that it hopes will help people in Iran to avoid government-enforced blocks on the messaging platform. The company has made it possible for people to use proxies to access WhatsApp and avoid government filtering. The tool is available globally. We’ve also explained what pig-butchering scams are and how to avoid falling into their traps.
Also this week, cybersecurity firm Mandiant revealed that it has seen Russian cyberespionage group Turla using innovative new hacking tactics in Ukraine. The group, which is believed to be connected to the FSB intelligence agency, was spotted piggybacking on dormant USB infections of other hacker groups. Turla registered expired domains of years-old malware and managed to take over its command-and-control servers.
We also reported on the continued fallout of the EncroChat hack. In June 2020, police across Europe revealed they had hacked into the encrypted EncroChat phone network and collected more than 100 million messages from its users, many of them potentially serious criminals. Now thousands of people have been jailed based on the intelligence gathered, but the bust is raising wider questions around law enforcement hacking and the future of encrypted phone networks.
But that’s not all. Each week, we round up the security stories we didn’t cover in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
On December 31, as millions of people were preparing for the start of 2023, Slack posted a new security update to its blog. In the post, the company says it detected a “security issue involving unauthorized access to a subset of Slack’s code repositories.” Starting on December 27, it found that an unknown threat actor had stolen Slack employee tokens and used them to access its external GitHub repository and download some of the company’s code.
“When notified of the incident, we immediately invalidated the stolen tokens and began investigating potential impact to our customers,” Slack’s disclosure says, adding that the attacker did not access customer data and Slack users don’t need to do anything.
The incident is similar to a December 21 security incident disclosed by authentication firm Okta, as cybersecurity journalist Catalin Cimpanu notes. Just before Christmas, Okta revealed its code repositories had been accessed and copied.
Slack quickly discovered the incident and reported it. However, as spotted by Bleeping Computer, Slack’s security disclosure didn’t appear on its usual news blog. And in some parts of the world, the company included code to stop search engines including it in their results. In August 2022, Slack forced password resets after a bug had exposed hashed passwords for five years.
A Black man in Georgia spent almost a week in jail after police reportedly relied on a face recognition match that was incorrect. Police in Louisiana used the technology to obtain an arrest warrant for Randal Reid in a theft case they were investigating. “I have never been to Louisiana a day in my life. Then they told me it was for theft. So not only have I not been to Louisiana, I also don’t steal,” Reid told local news site Nola.
The publication says a detective “took the algorithm at face value to secure a warrant” and says little is known about police use of face recognition technology in Louisiana. The names of any systems used have not been disclosed. However, this is just the latest case of face recognition technology being used in wrongful arrests. While police use of face recognition tech has quickly spread across US states, research has repeatedly shown it misidentifies people of color and women more frequently than white men.
On the first day of this year, Ukraine launched its deadliest missile strike against invading Russian troops to date. An attack on a temporary Russian barracks in Makiivka, in the Russian-occupied Donetsk region, killed 89 troops, the Russian defense ministry claims. Ukrainian officials say around 400 Russian soldiers were killed. In the aftermath, Russia’s defense ministry claimed the location of troops was identified because they were using mobile phones without permission.
During the war, both sides have said they are able to intercept and locate phone calls. While Russia’s latest claim should be treated with caution, the conflict has highlighted how open source data can be used to target troops. Drones, satellite images, and social media posts have been used to monitor people on the frontlines.
A new law in Louisiana requires porn sites to verify the ages of visitors from the state to prove they are over 18. The law says age verification must be used when a website contains 33.3 percent or more pornographic content. In response to the law, PornHub, the world’s biggest porn website, now gives people the option to link their drivers license or government ID via a third-party service to prove they are legal adults. PornHub says it does not collect user data, but the move has raised fears of surveillance.
Around the world, countries are introducing laws that require porn site visitors to prove they’re old enough to view the explicit material. Lawmakers in Germany and France have threatened to block porn sites if they don’t put the measures in place. Meanwhile, in February 2022 Twitter started blocking adult content creators in Germany because age verification systems were not in place. The UK tried to introduce similar age-checking measures between 2017 and 2019; however, the plans collapsed due to porn website admins’ confusion, design flaws, and fears of data breaches.
The world of spies is, by its very nature, cloaked in secrecy. Nations deploy agents to countries to gather intelligence, recruit other assets, and influence events. But occasionally these spies get caught. Since Russia’s full-scale invasion of Ukraine in February 2022, more of Russia’s spies across Europe have been identified and expelled from countries. A new database from open source researcher @inteltakes has pulled together known cases of Russia’s spies in Europe since 2018. The database lists 41 entries of spies being exposed and, where possible, details each asset’s nationality, profession, and the service they were recruited by.