Researchers with mobile security firm Appthority have disturbing news for iOS and Android mobile users: a vulnerability on the developers’ end exposed sensitive data collected via more than 1,000 common enterprise device apps. This exposed information, which included personal identifiable information, plain text passwords, and more, was compromised due to what experts are calling the Firebase vulnerability.

Similar to other previously discovered app vulnerabilities, this one occurred in relation to how the app “speaks” to the Google Firebase cloud database. Specifically, when authentication wasn’t required, any attacker could access information through the unsecured Firebase. Developers needed to initiate an additional step to require that authentication, but for too many apps, that step wasn’t put in place.

As a result, this vulnerability leaked around 100 million records from unsecured Firebase databases.

Appthority’s team isolated 28,502 mobile apps—more than 27,000 on the Android platform and another 1200-plus on iOS—that connected to a Firebase database. More than 3,000 were vulnerable because of this lack of authentication. Unfortunately, these numbers meant one out of every ten Firebase databases was left unsecured.

There is a wide variety of app categories involved in this finding, especially business-oriented apps like productivity tools, financial and business apps, and even dating app. The business users of these impacted apps include companies in banking, telecom, ride hailing, travel, and schools scattered through the US, Europe, South America, and Asia.

So what was exposed? Researchers found millions of plain text usernames and passwords, private health records, stored GPS coordinates to past locations, online payment and cryptocurrency activity records, and access to millions of users’ social media platforms.

It’s important for business device users to understand that this kind of vulnerability not only exists, but may even become more widespread based on the increasing numbers of Firebase users since it was launched. It’s worth noting that any vulnerability that exposes sensitive data from an enterprise account can mean the risk of violating regulatory compliance, regardless of how the information was leaked or who was responsible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When the public hears about the latest data breach, they might envision a network of hackers working in the dark web. The reality, though, is sometimes a lot more mundane. Accidental data breaches can happen when information is allowed to fall into the wrong hands for any number of reasons, but the concerns that can arise can be just as serious.

In the past, accidental data breaches have occurred due to issues like losing an unencrypted laptop or flash drive. Other incidents were the result of unsecured servers whose information was unintentionally posted online. In some cases, though, the breach occurred through intentionally sharing information, only it was with the wrong recipient.

That’s the case for Chicago Public Schools (CPS) in a recent data breach that compromised students’ and families’ personal data. Families in the school system were sent an email providing them with a necessary enrollment form. The link included in the email was inadvertently attached to a spreadsheet containing information for nearly 4,000 students and parents in the district. The link was active for several hours before someone noticed the error and removed the information from the link. In this specific data breach, students’ names, phone numbers, email addresses, and student ID numbers were exposed.

Experts looking into the CPS breach point to a far bigger concern than just sending out a link rather than attaching the document that was supposed to go to the parents: why is there a speadsheet of student information stored online that is accessible by anyone who finds it? The spreadsheet was not password protected, and hours after CPS officials informed parents of the error—they requested the families delete the email rather than take down the link—the spreadsheet, however, was still readily accessible. Concerned officials see that as a lack of training and awareness of how to secure students’ personal data.

Unfortunately, this incident is the third such accidental data breach in the CPS school district since 2016. In 2016, an employee sent out sensitive information to unauthorized parties, providing them with access to students’ information.  In 2017, unsecured web documents were posted on the CPS website exposing medical conditions, students’ names, identification numbers and other information.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When residents are alerted to a crime involving utility companies, a scammer is often the culprit.

One Arizona utility company is facing an entirely different and far more sophisticated crime, though: a possible data breach that may have stolen information from as many as 30,000 customers.

Goodyear city utility customers were alerted to the possible data breach after a customer reported some fraudulent activity on their accounts. That prompted the city to shut down its online bill payment system until the issue could be investigated and addressed.

Should the evidence show that someone has hacked the online payment portal and used customer information to take over their financial accounts, both the utility service and the other customers owe a debt of gratitude to the victim who took action once the suspicious activity appeared. This kind of diligence is often the only way someone finds out they’ve already been a victim of identity theft or account takeover.

When monitoring your accounts, it’s important to look for a variety of things. It’s not just fraudulent charges, but can be anything like purchases declining, purchases that you don’t remember making, or even tiny “low-dollar” purchases, like a buck or two here and there. Those small purchases may be an indication that someone was “testing” out your account information by making a transaction that is less likely to be caught by fraud detecting software, thereby triggering an alert.

Following news of any data breach—or even a suspected data breach, such as in this case—it’s a good idea to change your passwords on any sensitive or affected accounts. Changing your password frequently means that you’re more likely to be protected if a thief buys a database of old account login information. At the same time, it’s important to secure your accounts with strong, unique passwords in order to prevent software “guessing” of your credentials.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In recent weeks, Facebook has come under fire for an event that might change the definition of “data breach.” 

Mark Zuckerberg appeared before the Senate yesterday and Congress today to answer questions about how the platform is handling the situation. Unlike other breaches where the company had no prior knowledge, and perhaps no way of stopping someone from breaking in and stealing information, Facebook suffered a different kind of event, one that is very complex. But we’re still not hearing what the personally identifying information (PII) was accessed beyond the permissions of those using the app.

Facebook allowed a third-party company to operate social media quizzes under the name “This Is Your Digital Life.” The quiz app paid Facebook for the ability to invite users to take quizzes in exchange for access to their public profile information. Also, when one user granted that access, it may have automatically granted access to the individual’s Facebook friends. Even people who’ve never agreed to “This Is Your Digital Life’s” terms may have had their information gathered, including information like name, employer, education, birthdate, and relationships status which was available in their publicly viewable profile. The Identity Theft Resource Center still does not conclusive evidence even after yesterday’s testimony of what exactly was used from each person’s profile. This shared connection is how Facebook has estimates the number of compromised user profiles to be somewhere around 87 million.

Now, Facebook is taking action to inform users. If your information may have been wrongfully accessed, Facebook has put a banner at the top of your feed above the status box where you share what’s happening with you. It allows you check to see if you were compromised and possibly had unauthorized use of your information. It will also direct you to the permissions sections of your settings so you can take a closer look at what you’re letting outsiders’ access. You can also check for yourself by going to the Help Center of Facebook.

Facebook has preemptively disconnected any apps that you may have previously granted permission to access your profile. When you go to log into those connected apps, it will prompt you to reconnect, as well as re-accept permissions (or revoke them). Think carefully as you reconnect and only provide permission to those apps that you trust and to parts of your profile that don’t have important information.

Whether your information was accessed or not, this should serve as another wake-up call to understanding what you share on all of your social media profiles. All social media users should look at the profile questions with a suspicious eye before you include that potential snippet of information.


 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Customers who used Orbitz, a subsidiary of Expedia.com, to book travel or accommodations between January of 2016 and December of 2017 may have had their personal information accessed by hackers.

While the companies are launching a full investigation of the suspected breach, they have already determined that the unauthorized access was limited to payment card information. That means no Social Security numbers, passport numbers, or other highly sensitive information was gathered by the criminals.

These days, it might almost feel like a relief that the unauthorized access was limited to replaceable information like a credit card, but that false sense of relief can be attributed to a very real phenomenon known as data breach fatigue. Even if the harm only involves payment cards, this is still cause for concern.

Customers must first ascertain whether they used the travel site during the dates specified by the company. From there, it’s a good idea to review your account statements for any cards you may have used on the site, just to be sure you don’t see any unauthorized activity. It’s a good idea to change your Orbitz account password just to be on the safe side, and to make sure you haven’t used that same password on any other sites. Remember, passwords must be “unique” to every account you use for this very reason; if hackers gained access to your account information on one site and you’ve reused it on another account, they potentially have access to that account as well.

Events like this one serve as a wake-up call about account security. Make sure your passwords are strong, unique, and changed from time to time, and be sure to set up “card not present” alerts on your payment cards. That way, you’ll receive a text or email if the card is ever used online or over the phone, letting you take immediate action if the charge was fraudulent. Finally, now is as good a time as any to request a free copy of your credit report from AnnualCreditReport.com. Look it over carefully for any suspicious activity, and take action if you spot something out of the ordinary or that shouldn’t be there.


 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

It’s been almost five years since the retail world was rocked by the Target data breach, an event that affected millions of US consumers’ credit card and debit card accounts.

The card numbers were stolen by cybercriminals due to malware installed in the point-of-sale system. Since that time, some other major-name companies have experienced similar data breaches. In the most recent event, a hack that stole customer information from Hudson’s Bay Company (the parent company of both Saks 5th Avenue and Lord & Taylor) shows that the same method of attack that affected companies like Target and Home Depot are still being employed.

security company called Gemini Advisory discovered a trove of stolen credit card information for sale online on March 28th. Analysis of the card numbers showed that they’d been used at stores owned by Hudson’s Bay Co., which led the retailer to look into the matter. While the investigation is still underway, Gemini Advisory feels that the 5 million stolen card numbers most likely were accessed via malware infecting the stores’ point-of-sale (POS) systems. That malware may have originated as a phishing email sent to company employees; clicking on the link in the email would then install the harmful software in their network and, from there, the hackers could have gained access to the credit card machines at the chain’s cash registers.

An official statement from one of Hudson’s Bay Co.’s retailers says no highly sensitive data like Social Security numbers or birthdates was accessed. By data breach laws, though, they are offering all affected customers free credit and web monitoring services and assured the victims that they will not be responsible for any fraudulent charges on their affected credit or debit cards.

Consumers can take further steps though, and these additional measures are always a good idea. It’s beneficialto set up purchase alerts or “card not present” alerts on your credit or debit card by contacting the issuing financial institution. This step will ensure you receive an emailed or texted alert any time your card is used without being physically present at the cash register, which is one way that criminals can use stolen card numbers. That means you can immediately see if your card is being used and call the financial institution before you get your statement.

We know you’ve heard to check your statements, but honestly we also know that most card users tend to just file them away. If you think that your data may be included in the breach, your statement will tell you if someone else is using your payment account info. Some issuers have a limitation on fraudulent charges, so better to stay on top of it then to get stuck with them.

Finally, remember to change your passwords and pin numbers on any accounts associated with that card. As always, be sure you’re only using that password on one account to keep criminals from accessing any other accounts you own.


 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Data breaches continue to set records for numbers of separate events, numbers of compromised consumer records, and amounts of money they cost both businesses and the public. The Identity Theft Resource Center tracks those data breach events to help lawmakers, advocates, law enforcement and individuals be aware and stay prepared.

A new data privacy event is making headlines, but it’s not the same kind of breach we’re used to. In a typical data breach, someone intentionally or unintentionally allows sensitive data to fall into the wrong hands. In the Facebook / Cambridge Analytica case, the data was scooped up by someone who had permission to use only specific aspects of the data, but instead, is accused of scraping it beyond their permissions and using it for purposes beyond what they had agreed.

Facebook has suspended the access to its platform for Cambridge Analytica after learning that the UK-based company was using Facebook users’ data to target them with biased content. Investigations are still underway for activities dating back as far as 2014, and at this point, there is still some question about what data was accessed.

Facebook allows users to input a lot of information about themselves in their account profiles, but they’re also allowed to skip or make private certain key personally identifiable information. Your email address is used to log in, but you’re not required to list it, your hometown, your phone number, your place of employment, your religious or political views or other aspects of who you are. Some users opt to assign a credit card to their profile in order to pay for things like games or send payments to other users; others use the “log in with Facebook” feature in other apps, but that’s a convenience that comes at a price.

Some experts are likening this situation to “weaponized data” rather than a data breach. Users willingly gave their information to the company in order to use take advantage of one-step login,  use third-party apps, play games, take quizzes, and other social media features. What they didn’t agree to, and Facebook expressly prohibited, was the data scraping of their profiles to be used to target Facebook users with highly specific ads, essentially manipulating the posts they would see in their feeds. Moreover, this “information dominance,” as it has been called, gave some organizations a leg up on their competition due to the sheer volume of user profiles that had been gathered.

Additionally, one user does not have the authority to grant permission for another user. Just because a user is friends with someone that provided permission, the “friend” of that user doesn’t surrender their right to grant access to their profile. Users beyond those that originally granted permission to the application involved were unintended victims without any knowledge of how their data was also being used.

It’s important that social media users understand not only their privacy settings and the permissions they are granting when they opt into a third-party site or account, but also how their devices are involved. Some apps ask for access to your device’s location, contacts, files and more. A mobile app can easily lead to a site or another app that you didn’t know you were using and, therefore, didn’t know you were granting access to your data. Any connected site that lets you login by giving access to your Facebook account could potentially access your stored profile information. Know where your digital traffic is going—and where your data can end up—before you click.


 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.