Are you a Facebook user?  If you are, it may be time to change your password.  KrebsOnSecurity recently reported that it found hundreds of millions of Facebook usernames and passwords stored in plain text and searchable by more than twenty-thousand Facebook employees. At present, there is no official count, but Facebook says the total number of records was between 200,000 and 600,000.

That’s a big number, which makes this a serious incident, but in truth, it represents only a fraction of the company’s massive user base.

Although there’s no indication that any Facebook employee abused their access to the information, the fact remains that it was accessed regularly.  The investigation to this point has revealed that no less than 2,000 engineers and developers made more than nine million internal queries to the file.

Facebook software engineer Scott Renfro, interviewed by KrebsOnSecurity, had this to say about the issue:

“We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data.
In this situation, what we’ve found is these passwords were inadvertently logged but that there was no actual risk that’s come from this.  We want to make sure we’re reserving those steps and only force a password change in cases where there’s definitely been signs of abuse.”

This is just the latest in an ongoing series of security-related issues Facebook has found itself in the midst of.  While the company is wrestling with making changes to prevent such incidents in the future, that’s small comfort to the millions of users that have been adversely impacted over the last year.

According to the official company statement, unless you receive a notification from them, there’s nothing you need to do and no need to change your password. But given the importance of data security, if you’d rather be safe than sorry, it certainly couldn’t hurt.

If you’ve purchased bedding from either MyPillow or Amerisleep, your data may have been compromised. These companies are two popular mattress and bedding merchants operating in the US. This is according to a recent report coming to us from RiskIQ.

The hacking group Magecart appears to be behind both breaches, which is bad news for both companies and their customers.

That is because Magecart is one of the most talented and active hacker groups on the scene today, having launched a number of successful attacks against high profile targets that have included Ticketmaster, Feedify, Shopper Approved, Newegg, and British Airways.

MyPillow entered into Magecart’s crosshairs in October 2018, when the group compromised MyPillow’s e-commerce and sales platform and began skimming credit card information submitted by the company’s customers. The group also registered a similar domain, mypiltow.com and utilized ‘Let’s Encrypt’ to implement an SSL certificate.  Unsuspecting visitors to the site had no idea they were on a domain controlled by the hacking group.

According to RiskIQ researcher Yonathan Klijnsma, “…this type of domain registration typosquatting means that the attackers had already breached MyPillow and started setting up infrastructure in its name.”

Within a month’s time, the hacking group moved onto the second phase of its attack, registering a new website called livechatinc.org, which mimicked the Live chat used by MyPillow.  With a poisoned script already running inside the company’s infrastructure, Magecart was able to mimic the genuine tag used by the live support service. This was so that by all outward appearances, customers believed they were chatting with an actual MyPillow employee.

The attack on AmeriSleep dates back a bit further to April 2017, but followed a similar pattern.  The skimmer remained in operation between April through October of 2017.  The company rid themselves of Magecart’s malicious software, only to come under attack again in December 2017.

In both cases, the skimmer domains have been taken offline, but both companies are still dealing with the malicious code injection issues. RiskIQ notes that given Magecart’s history, even when both companies clear their servers of malicious code, they’re likely to be re-infected in short order.  Watch your credit card statements if you’ve made a purchase from either company.

We knew fairly early in the year that 2018 was on track to beat 2017 and set a new record for the number of data breaches in the year.

Afterall, 2017 had shattered 2016’s record the year before.  Now that the final numbers are in though, we can see just how big an increase we’ve seen in the number of data breaches from one year to the next.

The numbers aren’t pretty.  With 12,449 reported data breaches in 2018, we’ve seen a staggering 424 percent increase year over year. 2019 is already shaping up to be another record-breaking year.  All that to say, our problems with hackers and data security are getting worse, and there’s no end in sight.

As with last year, the United States leads the pack in terms of the total number of records exposed by data breaches. Although in terms of raw numbers, the US’s total was fairly modest. It’s simply that all of the year’s biggest breaches occurred here.

At least part of what’s driving the phenomenon of the steadily increasing number of breaches is the fact that there are a staggering number of user login credentials for sale and re-sale on the Dark Web.  These are purchased for modest sums and used by hacking groups all over the world to try their hand at breaking into various networks.

Unfortunately, given the sorry state of password security, it’s often months before a hacked account sees its password changed. That gives nefarious elements plenty of time and loads of opportunities to inflict whatever damage they will, and they’re only too happy to comply.

With the grim statistics above firmly in mind, it’s time to make data security at your firm your top priority.  Based on the numbers, it’s not a question