Search This Blog

Showing posts with label Phone. Show all posts

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.

Google Fined $60M+ for Misleading Australians About Collecting Location Data

 

Google was fined $60 million by the Australian Competition and Consumer Commission (ACCC) for deceiving Australian Android users about the collection and utilization of their location data for over two years, between January 2017 and December 2018. 

According to the Australian Competition watchdog, the tech giant continued to follow some of its customers' Android phones even after they deleted "Location History" in the device's settings. While consumers were misled to believe that option would deactivate location tracking, another account setting, "Web & App Activity," which was enabled by default, allowed the firm to "collect, retain, and use personally identifiable location data." 

According to the ACCC, based on available data, more than 1.3 million Australian Google accounts have been impacted. 

"Google, one of the world's largest companies, was able to keep the location data collected through the 'Web & App Activity' setting and that retained data could be used by Google to target ads to some consumers, even if those consumers had the "Location History" setting turned off," stated ACCC Chair Gina Cass-Gottlieb. 

"Personal location data is sensitive and important to some consumers, and some of the users who saw the representations may have made different choices about the collection, storage and use of their location data if the misleading representations had not been made by Google." 

In October 2019, Australia's competition watchdog initiated proceedings against Google. The Australian Federal Court ruled in April 2021 that Google had violated the Australian Consumer Law by deceiving customers regarding the gathering and use of their location data. 

By 20 December 2018, Google has taken corrective action and resolved all faults that had led to this fine, with users no longer being shown deceptive information implying that halting location history will stop collecting information about the areas they go with their devices. 

"Companies need to be transparent about the types of data that they are collecting and how the data is collected and may be used so that consumers can make informed decisions about who they share that data with," Cass-Gottlieb added.