Data breach at Animal Jam, warnings to Minecraft users and Oracle point of sale administrators and login advice from Microsoft
Welcome to Cyber Security Today for Friday November 13th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Stolen data including email addresses of millions of children or parents registered on the online kids game Animal Jam are being given away by a hacker after the parent company WildWorks suffered a data breach. According to the Bleeping Computer news service hackers accessed company databases with 46 million player usernames, although these aren’t the real names of children. Also in the databases were millions of encrypted passwords to the game. As a precaution all users now have to choose new passwords. But the databases also included 7 million email addresses of parents who registered their kids for the platform. Those addresses could be used to distribute spam. Just over 100 of the records also included a parent’s name and billing address. The company thinks the data was stolen around October 11th. It believes the hacker got in by penetrating the server of a company WildWorks uses for employee collaboration.
Speaking of games, do you play Minecraft on the Android platform? If you do, be careful of apps in the Google Play store that promise to enhance the game. According to a report from security firm Avast, seven of these apps are “fleeceware” — apps that fleece you of money by hiding inflated charges for skins, wallpapers or game mods. Some victims get charged $30 a month after installing apps with free trial periods.
Microsoft has become the latest tech company to urge people using multi-factor authentication to stop getting security codes through text or voice messages on smartphones. Two-factor or multifactor authentication adds a one-time six-digit security code on top of a username and password as extra protection for logins. There are several ways of getting a code on a mobile device, including by text message and a recorded voice call. But text messages can be intercepted by crooks. And if a crook takes over your smartphone by convincing your carrier to port your phone number to a phone they have, they can get any code sent by voice. Better is using an encrypted code-generating app like Google Authenticator, Microsoft Authenticator or Authy. These apps are locked to your smartphone so it doesn’t matter if the phone is illegally ported to another. And they are hard to intercept.
Two weeks ago I told you that office furniture manufacturer Steelcase suffered a cyber-attack suspected of being ransomware. This week the company told the U.S. securities regulator that it had to shut operations for two weeks because of the incident while it cleaned up computer systems. It also said there was no evidence sensitive customer or corporate information was copied.
Companies running Oracle’s Micros Restaurant Series 3700 point of sale software are being warned to install the latest version of the software. That’s because security vendor ESET has discovered a new piece of malware that can give attackers a way of getting inside the companies by exploiting a hole in the application. The malware is able to steal database passwords. If the databases aren’t encrypted their data will be stolen.
Finally, later this afternoon download the Week In Review edition of Cyber Security Today. I’ll be talking with Dinah Davis of Arctic Wolf about how to avoid being scammed online during the holiday shopping period.
Listen on your way home or on the weekend.
That’s it for now. Links to details about these stories are in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals.
Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.