Hackers Breach FTC CTO's Phone Account, Announce Goodell’s Death Prematurely; WA Accidentally Doxxes Weed License Applicants


Just another week in ThreatWatch, our regularly updated index of noteworthy data breaches.

In case you missed our coverage this week in ThreatWatchNextgov’s regularly updated index of cyber breaches:

Personal Info on Marijuana License Applicants Doxxed by Wash. State

The Washington State Liquor and Cannabis Board accidentally distributed sensitive data on applicants in response to a public records request. 

LCB had redacted the documents for the records request, but a folder containing the personal information inadvertently was included.

The data was provided to requestor John Novak, a Washington activist who runs a website -- 420 Leaks -- critical of the agency. Novak said he had requested documents related to marijuana applications filed under a recently enacted law.

Not knowing about the personal information, Novak posted the files at issue on 420 Leaks in early May, where anybody could access them. Novak said he subsequently received a phone call from the agency explaining the situation, as well as asking him to delete the records from his website and any copies in his possession.

Novak said he deleted the records from his website, but did not agree to delete his personal copies.

“I checked the logs to see if anybody downloaded it, but the logs didn’t go back that far," Novak said. "I know some of our research team downloaded them. A lot of press got the original link."

LCB spokesman Brian Smith said: “When we realized that info had been released to Mr. Novak, he was contacted and asked to take that information down from the website and to destroy what he had and we would provide a redacted version. It’s my understanding that this has happened."

The exposed data may include Social Security numbers, driver’s license numbers, financial information, tax information and attorney-client privileged information.

The Cannabist reviewed some of the new, redacted files on the agency’s download site, and discovered an unredacted Social Security number. The agency was notified about the apparent error.

“I’ll go back and talk to our public records people about that,” Smith said.

Novak said: “I’m not interested in people’s Social Security numbers or personally identifying information. I’m concerned about the leak of the information. It’s a massive leak of privacy that should never have happened.”

Novak also is concerned about a regulation that will have medical cannabis patients voluntarily register with the government.

“The state is trying to start a registry with patient information on the authorization form that the state is going to put into a database beginning July 1,” Novak said.

According to state information about the Cannabis Patient Protection Act (SB 5052) on Gov. Jay Inslee’s website, “Privacy will be ensured at the highest possible level, and the database does not in any way violate" the Health Insurance Portability and Accountability Act. 

FTC Chief Technologist, ID Security Prof Lorrie Cranor Gets Hacked Too

Here’s what happened to the Federal Trade Commission's lead techie, who is on leave from Carnegie Mellon University's comp sci department: A woman walked into a retail carrier store in Ohio, identified herself as Lorrie Cranor, and bought two iPhones on an installment plan. She billed them to Cranor’s account and walked away. 

“The thief would have needed to know my name, my mobile phone number, and make a fake ID,” according to Cranor. “It’s possible that the store could have asked for the last four digits of my SSN, but even that is not that hard for an identity thief to come by.”

The ID thief used an increasingly common trick called phone account hijacking. It’s endemic to all the major carriers, which is partly why Cranor declined to name her carrier.

"What makes account hijacking so insidious is it can happen even if the victim is scrupulous about protecting personal data," according to Wired. "Much of the information needed for this hack is available on reverse-lookup sites that link phone numbers with names. That’s why even someone as informed as Cranor could be compromised."

The four major U.S. carriers—AT&T, Sprint, Verizon and T-Mobile—let customers protect their account with a PIN or password that must be entered before altering the account. But Cranor hadn’t enabled hers.

“Before I realized what was going on, my phone said ‘emergency calls only,’ and I thought it was bad coverage,” Cranor says. “If you see that, it’s probably not bad coverage. There’s probably something else going on.”

Twitter Account Announces NFL Commissioner Goodell’s Death…Prematurely

An NFL spokesman says the league’s official Twitter account was hacked when it tweeted an erroneous statement that commissioner Roger Goodell had died. The tweet was soon deleted.

The hacked account tweeted, “We regret to inform our fans that our commissioner, Roger Goodell, has passed away. He was 57. #RIP.”

A hacker group named Peggle Crew claimed responsibility for the stunt.

"We got into a social media employee's email and found the account password there," one of the hackers told Tech Insider over email. "Not going to elaborate further."

When asked why the account was compromised, the hacker said it was "for the lulz."

The Twitter account of one of the group's members, @IDissEverything, has since been suspended, but the hacker told a follower NFL's password was "olsen3culvercam88" — a weak code that easily could be cracked with software tools like John the Ripper.

When asked about the veracity of the obituary tweet, NFL spokesman Greg Aiello said in an email: “Not true. Hacked.”

Brian McCarthy, another NFL spokesman, tweeted from his account (@NFLprguy) NFL’s official Twitter account was hacked and that Goodell “is alive and well.”

A subsequent tweet from NFL’s official account referencing Goodell -- which was soon deleted -- suggests the account was still hacked: "Oi, I said Roger Goodell has died. Don't delete that tweet."

NFL's account also tweeted a third time: "OK, OK, you amateur detectives win. Good job.”

Mark Zuckerberg’s Twitter, Pinterest Password -- 'dadada' -- Was Hacked

The attackers, self-dubbed OurMine Team, claimed to have broken into the Twitter and Pinterest accounts of the Facebook founder thanks to a LinkedIn password dump from a few weeks ago. More than 100 million LinkedIn user passwords were stolen during a 2012 hack leaked online in May.

“Hey @finkd, you were in Linkedin Database with the password ‘dadada’ !,” the team wrote from Zuckerberg’s Twitter page June 5. 

On his Pinterest page, a new title read: “Hacked by OurMine Team.”

"Twitter was quick to react. While writing this article, we noticed that Zuckerberg’s @finkd account had been suspended. Upon publishing, we learned that Twitter had already brought it back, with the offending tweet deleted (Zuckerberg hasn’t tweeted anything since January 2012)," VentureBeat reported on the same day the defacements appeared.